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Preface 


About This Manual 


The Expert Analyzer Output File Format manual describes the format of the Expert 
analyzer output file and the data it contains. 


For information about the Expert analyzer and how to save an Expert analyzer output 
file, refer to the Analyzer Operations manual. 


Navigational Aids Used in This Manual 


This manual uses icons in the margin to help you locate important information as 
explained below: 


important; you should be certain to read it carefully before you proceed. 


= IMPORTANT INFORMATION. Next to this icon is information that is especially 


Conventions Used in This Manual 


The following describes the conventions used in this manual: 
Bold Menu options are in bold type. For example: 
Move to Display, and press Enter. 


UPPERCASE Filenames and commands you type at a DOS prompt are in 
uppercase. For example: 


Modify the AUTOEXEC.BAT file if necessary. To duplicate the 
file, use the COPY command. 


Bold italics Variables, for which you provide values, are in bold italics. For 
example: 


Type the number of minutes and seconds in the mm:ss format. 


Item1 \Item2 A menu title made up from the succession of menu items chosen 
to get to the submenu. For example, to filter out MAC frames 
during capture, you would go to the Capture filters \Protocol 
menu. 
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Technical Support 


Vi 


A toll-free number is available for customers under warranty or Extended Software 
Support Service to obtain technical support for Network General Corporation 
products. Before calling, however, please refer to the “Troubleshooting” section in the 
Expert Sniffer Network Analyzer Operations manual. You will find tips for 
troubleshooting your system as well as information you will need before requesting help. 
When you call, be sure to have your Sniffer Network Analyzer serial number ready. 


Network General Corporation’s Technical Support personnel are available from 6 a.m. 
to 6 p.m. Pacific time, weekdays. Outside of support hours, you may leave a voice 
message by calling the toll-free telephone number. 


Figure i describes the various ways to contact the Technical Support department. 


Network General Corporation 
Technical Support Department 


Toll-Free Telephone Number (800) 395-3151 
FAX Number (415) 327-9436 
TDD for the Hearing Impaired | (415) 327-8723 
Internet Address support@ngc.com 
SniffNet BBS (2400 baud) (415) 327-3875 
SniffNet BBS (9600 baud) (415) 327-4782 
Compuserve PC Vendors Forum GO NETGENERAL 


Figure i. Contacting Network General Technical Support. 
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Overview 


File Content 


File Format 
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The Expert Sniffer Network Analyzer lets you save most of the information in the 
Expert analyzer database in an ASCII file. All the data in the ASCII file is in comma 
separated value (CSV) format that allows you to export the information to spreadsheet 
and database applications. Using spreadsheet and database applications, you can see the 
information in tabular or graphical form. 


This document describes the Expert analyzer output file and the data it contains. For 
information on how to save Expert analyzer data in an output file, refer to the Analyzer 
Operations manual or the New Features document. 


The Expert analyzer output file contains the following information: 


© Network objects identified by the Expert analyzer 


Thresholds set in the Expert analyzer 


Global statistics about the captured data 
© Contents of the Expert Overview display 


e Symptoms detected and the diagnoses made by the Expert analyzer 


Some of the information in the Expert analyzer database cannot be saved in the output 
file. The following information is not included in the file: 


e Spanning Tree states when no topology changes have occurred 


¢ Detail screen information for a diagnosis. 


The information in the Expert analyzer output file is grouped into sections consisting 
of rows and columns. Each column in a row is separated by a comma. 


The output file can contain as many as sixteen sections of data. You can select which 
sections you want to include in the file. For information on how to select a section in 
the output file, refer to the New Features document. Each section is labeled so that it 
can be easily identified and contains headings for each column. The sections of data are 
as follows: 
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e Header Information (page 8) 

¢ Contents (page 9) 

e Expert Database (page 13) 

e Expert Configuration (page 22) 

¢ Global Statistics (page 28) 

e Expert Overview (page 35) 

¢ DLC Stations (page 38) 

e Subnets (page 41) 

¢ Subnet Pairs (page 44) 

e Network Stations (page 45) 

¢ Connections/Applications (page 50) 
¢ Global Symptoms (page 60) 

e DLC Station Diagnoses (page 68) 

¢ Network Station Diagnoses (page 70) 
¢ Connection Diagnoses (page 72) 


° Application Diagnoses (page 74) 


Certain sections are divided into subsections. These sections are as follows: 
e Expert Configuration 
— DLC Station Thresholds 
— Network station Thresholds 
— Connection Thresholds 
— Application Thresholds 
— Subnet Masks 
e Global Statistics 
— General Statistics 
— Traffic Level 
— Traffic by Protocol Family 
¢ Global Symptoms 
— Spanning Tree Topology Changes 
— ZIP Storms 


— Bursts 


Sections and Subsections 


The Expert analyzer output file consists of sections and subsections (described above) 
separated by a line feed. 
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Each section and subsection can contain multiple rows of data (for example, in the 
Network Stations section there is one row of data for each station on the network). 


Each row in the output file is identified by a number in its first column (its row type) 
which indicates the type of information in the row. 


Each section and subsection begins with a label row (row type 0) that identifies the 
section. For example: 0,"Global Symptoms", 


Following the label for each section or subsection there is a heading row that identifies 
the type of data in each column. The row type of the heading row is the row type of the 
first data row in the section or subsection preceded by the number 1. 


An example of a section with two subsections is shown in Figure 1. 


0,"Global Statistics", <CR> <i——————- Section Label 
: 0,"General Statistics", <CR> ~<q—————_ Subsection Label 
The first column of 1300, Bandwidth, Frms,FrmsAnal,%Anal,<CR> ~@— Heading row 


every row is the row type — 300,10000000,593,593,100,<CR>  ~<¢———— Data row 


(0, 1300, 300, 1301, and 301) 
0,"Utilization", <CR> <—_———————_ Subsection Label 


1301,Avg,Curr,Max, <CR> <j—_————-_ Heading row 
301, Util,0,0,8, <CR> <—_—________————_- Data row 


vd 


Each row in the file ends with a carriage return. 
This document shows the end of a row with <CR> “4 


Figure 1. Sample section. 


Row Types 


The following table lists the row types used in the output file. 


Row Type Description 
O Section Label 
1 Header Information 
100 —_. Sections included in the output file 
101 Contents: Number of rows 
150 Expert Database: Current number of objects 
154 Expert Database: Number of recycled objects 
152 Expert Database: Memory shortage 
153 Expert Database: Time of Memory Shortage 
200 Expert Configuration: DLC Station Thresholds 
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Column Format 


Description 


Expert Configuration: Network Station Thresholds 


Traffic Level (Overall Utilization) 

Traffic Level (DTE Utilization) 

Traffic Level (DCE Utilization) 

Traffic Level (Packets Per Second) 

Traffic By Protocol Family (Percentage of Bytes) 


Traffic By Protocol Family (Number of Frames) 


Number of Symptoms 


Number of Diagnoses 


Global Symptoms: Spanning Tree Topology Changes 


Row Type 
201 
202 Expert Configuration: Connection Thresholds 
203 Expert Configuration: Application Thresholds 
250 Expert Configuration: Subnet Masks 
300 Global Statistics: General Statistics 
301 Global Statistics: 
302 Global Statistics: 
303 Global Statistics: 
304 Global Statistics: 
305 Global Statistics: 
306 Global Statistics: 
400 Expert Overview: Number of Objects 
401 Expert Overview: 
402 Expert Overview: 
500 DLC Stations 
501 Subnets 
502 Subnet Pairs 
503 Network Stations 
504 Connections/Applications 
505 
506 Global Symptoms: ZIP Storms 
507 Global Symptoms: Bursts 
600 DLC Station Diagnoses 
601 Network Station Diagnoses 
602 Connection Diagnoses 
603 Application Diagnoses 


Each row type uses a different number of columns to represent data. Each column is 
separated by a comma. Depending on the type of data being presented, columns can 
contain character strings or numbers. 
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Character Strings 


Depending on its characteristics, the character string format may include quotation 
marks. This is necessary due to the peculiarities of certain spreadsheet applications. The 
use of quotation marks is defined as follows: 


e String within quotation marks 


A string is placed within quotation marks when it can contain commas or spaces 


(for example, "DECnet L2 Router"). 


¢ String within quotation marks and an equal sign (=) before the first quotation 
mark 


A string is placed inside quotation marks with an equal sign before the first 
quotation mark when it can contain all numbers (for example, ="3425"). 


© No quotation marks 


A string appears on its own with no quotation marks if it is one continuous word 
that cannot contain numbers, commas, or spaces (for example, Router). 


When a section contains multiple rows, the columns for each row have the same 
definition. If a certain column in a row can contain a string requiring quotes, that 
column uses quotes in all rows, regardless of the actual value. For example, in the DLC 
Station section, the Name column always uses quotes around its strings because the 
value may be one or several words (such as "Workstation" or "TCP/IP Router"). 


Time 


Time is listed in standard 24-hour time format (that is, mm/dd/yy hh:mm:ss). The time 
format is not presented in quotation marks so that spreadsheet applications will read the 
value as a time and not a string. 


If you have set your TZ DOS environment variable, all times will be converted to 
Greenwich mean time. If you have not set your TZ DOS environment variable, all 
times will be local time. 


Booleans 


Certain column values are Booleans (for example, a field indicating whether any IP 
traffic was detected). These items are always represented numerically: 1 for TRUE and 
O for FALSE. 


Undefined Column Values 


Certain column values may be undefined (for example, an AppleTalk Network Station 
has columns for Novell-specific symptoms but there is no value in the column). When 
a column value is undefined, the column is empty, not zero. A comma still separates an 
empty column from the next column (,,). 


Row Type Description 


Each row type (except the label row, row type 0) has its own column format described 
in detail below. These column formats may change as new statistics and symptoms are 
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added in subsequent Expert analyzer revisions. An output format revision code is 
included in the Header Row (row type 1), whose format will not change. 


Row type 0 is used to identify a label of a section or subsection. Each section and 
subsection in the Expert analyzer output file begins with a label row. 


Section Descriptions 


Each section in the Expert analyzer output file is described below in numerical order, as 
it appears in the output file. The following information is provided for each section: 


e A paragraph containing a brief description of the information in the section 


e An example showing the format of the section or subsection as it appears in the 
file. For example, the format for the Network Station Thresholds subsection is: 


0,"Network Station Thresholds" ,<CR> 
1201,DECHello, DuplicateP,MultRouters,<CR> 
201,20, 10,,3:,<CR> 


Note: Each row in the file ends with a carriage return. This document shows the 
end of a row with <CR>. 


e A table with descriptions of each column for each row type in the section. For 
example, the table format for row type 201 is: 


Data 


Type 
Code 


fia ae 


DECHello 7 


DuplicateP 


Column 
Data 


Column Description 


Row type 201 specifies Network 
Station thresholds. 


If the DECnet hello timer is less than 
the number of seconds specified for 
the threshold for DECHello, a 
symptom is triggered. 


The maximum percentage 
discrepancy between the normal and 
measured DECHello timer to trigger 
a duplicate address diagnosis. 


The number of local routers that can 
route traffic to a remote station that 
triggers a diagnosis (LAN only). 


MultRouters 


Where: 

Column lists the lettered spreadsheet columns (A, B, C, D in this 
example). 

Column Data lists the information that is contained in each column 
(rowtype, DECHello, Duplicate%, and MultRouters in this 
example). 
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Data Type Codes 
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Data Type Code describes the type of data in each column (see Data Type Codes 
below) indicating how the data is represented. The data types 
in this example are RT and TH (Row Type and Threshold 


Value). 
Description describes the information in Column Data in more detail. 
rowtype is the number that represents the type of information in the 


row. The row type in the above example is 201, which describes 
the Network Station Thresholds. 


The following data type codes are used in the tables throughout this document to 
describe the type of data in each column: 


BO Boolean: 1 or 0 

C2 An unsigned 2-byte count (or other value) 

C4 An unsigned 4-byte count (or other value) 

CL An unsigned 2-byte code giving an object’s protocol family 
DM_ Duration in milliseconds; an unsigned 4-byte value 

DS Duration in seconds; an unsigned 4-byte value 

DT 24-hour date/time with year (that is, mm/dd/yy hh:mm:ss) 
M1 An unsigned 1-byte bitmap 

M2. An unsigned 2-byte bitmap 


OB An object ID: an unsigned 2-byte number. Every object in the Expert analyzer 
database is assigned a globally unique ID that allows cross-referencing between 
objects in the output file. Object 100 in the Connection list, for example, could 
be listed as a Connection object between Network Station objects 98 and 99, 
which could then be looked up in the Network Station list. 


PO A percentage, from 0 to 100 (no decimal places) 
P2 A percentage from 0 to 100 (to two decimal places) 
RT The row type, an unsigned 2-byte number from 0 to 603 


SC A string that can contain commas or spaces. This string is always placed within 
quotation marks (for example, "DECnet L2 Router"). 


SN A string that may be made up of all numbers. This string is always placed within 
quotation marks with an equal sign (=) before the first quotation mark (for 
example, ="3425"). 


SP A string that cannot contain commas or be all numbers (for example, Router) 


TH A threshold value: an unsigned number guaranteed to fit in two bytes. Some 
range from 1 to 999, others from 0 to 100. For information about specific 
threshold settings, refer to the Analyzer Operations manual. 
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Header Information (Row Type 1) 


The Header Information section is always included at the top of the file. It contains row 
type 1, which provides general information about the output file including: 


© The revision number of the output format 
© The date and time the output file was saved 


e The start date, time, and duration of the capture 
The following is an example of the Header Information section in the output file: 


0, "Header" ,<CR> 

1001, Output,Revision, TimeSaved, StartTime, StopTime, Duration, 
SegmentName, ServerName, TimeZone, <CR> 

1,="ExpertSniffer" ,="QA2",12/12/93 16:54:40,12/12/93 15:50:30,12/12/93 
16:54:34,3842,,,,<CR> 


The following table describes the column data for row type 1. 


Column si 
Column Type Description 
Data 
Code 

A Row type 1 provides header information. 

B Output SN The type of information in this file. Currently 
the only value is "ExpertSniffer." 

Cc Revision SN The revision level of the Expert analyzer 
output file. (This is not the same as the 
product software revision number.) 

D TimeSaved The time that the output file was saved. 

E StartTime DT The time that the capture was started. If the 
capture was obtained from a file, the time 
indicates when the data was originally 
captured. 

F StopTime DT The time of the last frame analyzed by the 
Expert analyzer. This should be almost 
identical to the time that the capture was 
stopped. 

G Duration DS The duration of the capture in seconds. 

H SegmentName SN The name of the segment where the capture 
was taken. This column value is undefined if 
you are not using a DSS Server. 

I ServerName SN The name of the server that captured the 
data. This column value is undefined if you 
are not using a DSS Server. 

J TimeZone SN The TZ DOS environment variable of the 


Sniffer or DSS Server. 
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Contents (Row Types 100 - 101) 


Row Type 100 
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The Contents section is always included in the output file and contains two row types. 
Row type 100 indicates the sections that are included in the file and row type 101 
indicates the number of rows in each section. This information allows you to calculate 
the amount of memory your program needs for this data. This section also allows you to 
be certain that when a section or row is not included in the file, it is because the section 
or row was not selected to be included in the file, not because it was omitted. 


Below is an example of the Contents section in the output file. 


0, "Contents" ,<CR> 

1100, ,Config, GlobalStats, ExpOverview, DLCStations, Subnets, SubnetPairs, 
NetStations,Conns,SpanChanges, ZIPStorms, Bursts, DLCDiags, 
NetDiags,ConnDiags,AppDiags,<CR> 

LOO: sSaved?), a: 72 . My Lijekgdl a By Udy de dee by diy i SERS 
101,,Rows;,.4,7,3', 62,191, 35 , 27, 162, 0, 0,16; 0,,.2:,.27,0,<CR> 


Row type 100 indicates the sections that were or were not included in the output file. 
For information on how to select a section so that it is included in the file, refer to the 
Analyzer Operations manual or the New Features document. 


Column pee 
Column Type Description 
Data 
Code 
A Row type 100 indicates which sections 


were saved in the file. 
B The row type label used for readability. 


Cc Config 1 indicates that the Configuration section 
was saved in the file. O indicates that the 
Configuration section was not saved in the 
file. 
BO 


D GlobalStats 1 indicates that the Global Statistics 
section was saved in the file. O indicates 
that the Global Statistics section was not 
saved in the file. 


E ExpOverview BO 1 indicates that the Expert Overview 
section was saved in the file. O indicates 
that the Expert Overview section was not 
saved in the file. 


F DLCStations BO 1 indicates that the DLC Stations section 
was saved in the file. O indicates that the 
DLC Stations section was not saved in the 
file. 
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Description 


1 indicates that the Subnets section was 
saved in the file. O indicates that the 
Subnets section was not saved in the file. 


1 indicates that the Subnet Pairs section 
was saved in the file. O indicates that the 
Subnet Pairs section was not saved in the 


1 indicates that the Network Stations 
section was saved in the file. O indicates 
that the Network Stations section was not 


Connections/Applications section was 
saved in the file. O indicates that the 
Connections/Applications section was not 


1 indicates that the Spanning Tree 
Topology Change section was saved in the 
file. O indicates that the Spanning Tree 
Topology Change section was not saved in 


1 indicates that the ZipStorms section was 
saved in the file. O indicates that the 
ZipStorms section was not saved in the 


1 indicates that the Bursts section was 
saved in the file. O indicates that the 
Bursts section was not saved in the file. 


Diagnoses section was saved in the file. 


Diagnoses section was not saved in the 


1 indicates that the Network Station 
Diagnoses section was saved in the file. 
O indicates that the Network Station 
Diagnoses section was not saved in the 


Data 
Column 
Column Data Type 
Code 
ial ik 
H SubnetPairs 
file. 
NetStations 
saved in the file. 
J Conns 1 indicates that the 
saved in the file. 
K SpanChanges 
the file. 
L: Z|IPStorms 
file. 
re 
N DLCDiags BO 1 indicates that the DLC Station 
O indicates that the DLC Station 
file. 
Oo NetDiags BO 
file. 
P ConnDiags BO 


1 indicates that the Connection Diagnoses 
section was saved in the file. O indicates 
that the Connection Diagnoses section 
was not saved in the file. 
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Row Type 101 
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Column Description 


AppDiags 


1 indicates that the Application Diagnoses 
section was Saved in the file. O indicates 
that the Application Diagnoses section 
was not saved in the file. 


Row type 101 indicates the number of data rows in each section included in the output 
file. The column is empty if the section was not included in the output file. (This does 
not include label or header rows.) This information lets you determine in advance how 
much memory your application will need to parse this data. 


Column ae 
Column Type Description 
Data 
Code 


> 


Row type 101 indicates the number of 
rows in each section. 


ive) 


The row type label used for readability. 


The number of rows in the Configuration 
section. 


C2 The number of rows in the Global Statistics 
section. 


D GlobalStats 


heal ‘all 
F DLCStations The number of rows in the DLC Stations 
section. 


The number of rows in the Expert Overview 
section. 


G Subnets The number of rows in the Subnets 


section. 
H SubnetPairs C2 
| NetStations C2 


J Conns C2 The number of rows in the 
Connections/Applications section. 


The number of rows in the Subnet Pairs 
section. 


The number of rows in the Network 
Stations section. 


K SpanChanges C2 The number of rows in the Spanning Tree 
Topology Change section. 


L. ZipStorms C2 The number of rows in the Zip Storms 
section. 


11. 
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Column Description 


Column 
Data 


Bursts The number of rows in the Bursts section. 


DLCDiags 


NetDiags eal 
‘nell inl 


The number of rows in the DLC Station 
Diagnoses section. 


The number of rows in the Network Station 
Diagnoses section. 


The number of rows in the Connection 
Diagnoses section. 


AppDiags The number of rows in the Application 


Diagnoses section. 
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Row Type 150 
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The Expert Database section provides information about memory allocation in the 
Expert analyzer’s database. This section contains row types 150, 151, 152, and 153, 
which indicate whether the Expert analyzer ran out of memory, and if so, up to what 
point the Expert analyzer’s database is complete. 


The Expert Database section is always included in the output file. 
The following is an example of the Expert Database section in the output file: 


0,"Expert Database Info",<CR> 

1150, ,DLC,NetApple, NetDEC,NetIP,NetISO,NetNov,NetXNS, CnxADSP, CnxATP,C 
nxDEC, CnxISO, CnxLAT, CnxNBP, CnxNETB, CnxNETBPEP, CnxNOVPEP,CnxTCP, 
CnxUDP, CnxXNSPEP, CnxSPP,CnxX25,Appl1, Subnet, SubnetPair, SpanChange, 
ZIPStorm, Burst, Diag, <CR> 

150,OnHand, 45,0,0,96,0,0,40,0,0,0,0,0,0,0,0,3,17,104,0,0,0,34,35,27, 
0,0,16,29,<CR> 
151,Recycled,292,0,0,425,0,0,2441,0,0,0,0,0,0,0,0,0,4,991,0,0,0, 

0,0; 04.0,'0.,0,0,;<ER> 

1150 RanOut?,.1.,0i0.1a, 0 ,1,0;0),:0:,0,,0,.0; 01,0) 10,1, 1, 200-0), dd 05 
0,0,0,<CR> 

153, OutTime, 12/12/93 15:50:38,,,12/12/93 16:31:30,,12/12/93 15:57:40, 
Ppardi nen phOYL2/93' L594 201 , 12/12/93 15:56:56,12/12/93 16:17:47, 

pope L2/12/93 15:353422),12/12/93 15753252, 12/12/93. 15253 230555 27<CR* 


Row type 150 specifies the number of objects in the Expert analyzer database at the end 


of a capture session for each object type. 
Description 


Row type 150 indicates the number of 
objects in the database at the end of a 
capture session. 


Column 
Data 


The row type label used for readability. 


DLC C2 The number of DLC Station objects in the 
Expert database. 


D NetApple C2 The number of AppleTalk Network Station 
objects in the Expert database. 
E NetDEC C2 The number of DECnet Network Station 


objects in the Expert database. 


The number of IP Network Station objects 
in the Expert database. 


NetIP C2 


The number of ISO Network Station objects 
in the Expert database. 


NetISO C2 
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Column nee 

Column Type Description 
Data 
Code 
H NetNov The number of IPX Network Station objects 
in the Expert database. 
NetXNS 

J CnxADSP 
K CnxATP 


The number of XNS Network Station 
objects in the Expert database. 


The number of AppleTalk ADSP Connection 
objects in the Expert database. 


The number of AppleTalk ATP Connection 
objects in the Expert database. 


L CnxDEC The number of DEC Connection objects in 
the Expert database. 

M CnxlSO The number of ISO Connection objects in 
the Expert database. 

N CnxLAT The number of DEC LAT Connection objects 


in the Expert database. 


The number of NBP Connection objects in 
the Expert database. 


O CnxNBP 
P CnxNETB 


Q CnxNETBPEP 
R CnxNOVPEP 
S CnxTCP 


The number of NetBIOS Connection 
objects in the Expert database. 


The number of PEP over NetBIOS 
Connection objects in the Expert 
database. 


The number of PEP over IPX Connection 
objects in the Expert database. 


The number of TCP Connection objects in 
the Expert database. 


T CnxUDP The number of UDP Connection objects in 
the Expert database. 

U CnxXNSPEP C2 The number of PEP over XNS Connection 
objects in the Expert database. 

Vv CnxSPP C2 The number of SPP Connection objects in 
the Expert database. 

W CnxX25 C2 The number of X.25 Connection objects in 
the Expert database. 

X Appl C2 The number of Application objects in the 
Expert database. 

Y Subnet C2 The number of Subnet objects in the 


Expert database. 
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Column 


Col 
olumn Data 


SubnetPair 


SpanChange 


ZIPStorm 


Description 


The number of Subnet Pair objects in the 
Expert database. 


The number of Spanning Tree topology 
change Global Symptom objects in the 
Expert database. 


The number of ZIP storm Global Symptom 
objects in the Expert database. 


The number of Burst Global Symptom 
objects in the Expert database. 


Row Type 151 


The number of Diagnosis objects in the 
Expert database. 


Row type 151 specifies the number of recycled objects in the Expert analyzer database 
since the start of capture for each object type. 


Column 


Recycled 
DLC 


Description 


Row type 151 indicates the number of 
recycled objects in the database since the 
start of capture. 


The row type label used for readability. 


The number of recycled DLC Station 
objects in the Expert database. 


NetApple 


The number of recycled AppleTalk Network 
Station objects in the Expert database. 


NetDEC 


The number of recycled DECnet Network 
Station objects in the Expert database. 


NetIP 


The number of recycled IP Network Station 
objects in the Expert database. 


NetISO 


The number of recycled ISO Network 
Station objects in the Expert database. 


C2 


The number of recycled IPX Network 
Station objects in the Expert database. 
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The number of recycled XNS Network 
Station objects in the Expert database. 
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Column 


CnxATP 


CnxlSO 


CnxUDP 


CnxXNSPEP 


CnxSPP 


CnxX25 


Data 


Type 
Code 


Q 
i) 


(e) Q (o) ie) 
NO is) is) NO iN) nN 


Q © 


i?) 


(>) 
NO 


C2 


C 


ND 


i) 


Description 


The number of recycled AppleTalk ADSP 
Connection objects in the Expert 
database. 


The number of recycled AppleTalk ATP 
Connection objects in the Expert 
database. 


The number of recycled DEC Connection 
objects in the Expert database. 


The number of recycled ISO Connection 
objects in the Expert database. 


The number of recycled DEC LAT 
Connection objects in the Expert 
database. 


The number of recycled NBP Connection 
objects in the Expert database. 


The number of recycled NetBIOS 
Connection objects in the Expert 
database. 


The number of recycled PEP over NetBIOS 
Connection objects in the Expert 
database. 


The number of recycled PEP over IPX 
Connection objects in the Expert 
database. 


The number of recycled TCP Connection 
objects in the Expert database. 


The number of recycled UDP Connection 
objects in the Expert database. 


The number of recycled SPP Connection 


The number of recycled X.25 Connection 


Appl 


Subnet 


The number of recycled Application objects 


C2 The number of recycled PEP over XNS 
Connection objects in the Expert 
database. 

C2 
objects in the Expert database. 

C2 
objects in the Expert database. 

C2 
in the Expert database. 

C2 


The number of recycled Subnet objects in 
the Expert database. 
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Row Type 152 
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Column | Bate 


Column Type 
D 
— Code 
Z SubnetPair C2 
AA SpanChange C2 
AB ZIPStorm 
AC Burst 


Description 


The number of recycled Subnet Pair 
objects in the Expert database since the 
start of capture. 


The number of recycled Spanning Tree 
topology change Global Symptom objects 
in the Expert database. 


The number of recycled ZIP storm Global 
Symptom objects in the Expert database. 


The number of recycled Burst Global 
Symptom objects in the Expert database. 


The number of recycled Diagnosis objects 
in the Expert database. 


Row type 152 indicates whether an object of a given type could not be created because 
the Expert analyzer ran out of memory. 


Column Pate 
Column Data Type 
Code 
. - a 
D NetApple Py 
E NetDEC BO 
F NetIP BO 


Description 


Row type 152 indicates whether an object 
could not be created. 


The row type label used for readability. 


1 indicates that a DLC Station object could 
not be created. O indicates that all DLC 
Station objects were created. 


1 indicates that an AppleTalk Network 
Station object could not be created. O 
indicates that all AppleTalk Network 
Station objects were created. 


1 indicates that a DECnet Network Station 
object could not be created. O indicates 
that all DECnet Network Station objects 
were created. 


1 indicates that an IP Network Station 
object could not be created. O indicates 
that all IP Network Station objects were 
created. 
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Column 


G 


H 


J 


K 


M 


N 


Data 
Column Type 
Data Code 


CnxATP 
CnxDEC 
Cnx!ISO 


CnxNBP BO 


Description 


1 indicates that an ISO Network Station 
object could not be created. O indicates 
that all ISO Network Station objects were 
created. 


1 indicates that an IPX Network Station 
object could not be created. O indicates 
that all IPX Network Station objects were 
created. 


1 indicates that an XNS Network Station 
object could not be created. O indicates 
that all XNS Network Station objects were 
created. 


1 indicates that an AppleTalk ADSP 
Connection object could not be created. O 
indicates that all AppleTalk ADSP 
Connection objects were created. 


1 indicates that an AppleTalk ATP 
Connection object could not be created. O 
indicates that all AppleTalk ATP Connection 
objects were created. 


1 indicates that a DEC Connection object 
could not be created. O indicates that all 
DEC Connection objects were created. 


1 indicates that an ISO Connection object 
could not be created. O indicates that all 
ISO Connection objects were created. 


1 indicates that a DEC LAT Connection 
object could not be created. O indicates 
that all DEC LAT Connection objects were 
created. 


1 indicates that an NBP Connection object 
could not be created. O indicates that all 
NBP Connection objects were created. 


CnxNETB 


CnxNETBPEP 


1 indicates that a NetBIOS Connection 
object could not be created. O indicates 
that all NetBIOS Connection objects were 
created. 


1 indicates that a PEP over NetBIOS 
Connection object could not be created. O 
indicates that all PEP over NetBIOS 
Connection objects were created. 
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Column 


Column 


Data 
Type 
D 
aa Code 
CnxNOVPEP a 


Description 


1 indicates that a PEP over IPX Connection 
object could not be created. O indicates 
that all PEP over IPX Connection objects 
were created. 


1 indicates that a TCP Connection object 
could not be created. O indicates that all 
TCP Connection objects were created. 


1 indicates that a UDP Connection object 
could not be created. O indicates that all 
UDP Connection objects were created. 


1 indicates that a PEP over XNS 
Connection object could not be created. O 
indicates that all PEP over XNS Connection 
objects were created. 


1 indicates that an SPP Connection object 
could not be created. O indicates that all 
SPP Connection objects were created. 


1 indicates that an X.25 Connection object 
could not be created. O indicates that all 
X.25 Connection objects were created. 


1 indicates that an Application object could 
not be created. O indicates that all 
Application objects were created. 


1 indicates that a Subnet object could not 
be created. O indicates that all Subnet 
objects were created. 


1 indicates that a Subnet Pair object could 
not be created. O indicates that all Subnet 
Pair objects were created. 


1 indicates that a Spanning Tree topology 
change Global Symptom object could not 
be created. O indicates that all Spanning 
Tree topology change Global Symptom 
objects were created. 


1 indicates that a ZIP storm Global 
Symptom object could not be created. O 
indicates that all ZIP storm Global 
Symptom objects were created. 


. ae 
T CnxUDP BO 
U CnxXNSPEP BO 
. a 
| 
. ba 
. pl 
Zz SubnetPair BO 
AA SpanChange BO 
AB Z|IPStorm BO 
AC Burst BO 


1 indicates that a Burst Global Symptom 
object could not be created. O indicates 
that all Burst Global Symptom objects 
were created. 
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Data 
Type 
Code 


Column 
Data 


Row type 153 specifies the time that the first object of a given type could not be created 
because the Expert analyzer ran out of memory. 


Column Description 


1 indicates that a Diagnosis object could 
not be created. O indicates that all 
Diagnosis objects were created. 


Row Type 153 


When a column in row type 152 is 0, the column with the same heading in this row is 
undefined (empty). 


Column Data 
Column Type Description 
Data 
Code 
A Row type 153 indicates the time that the 


first object could not be created. 


RT 
p 
oeeele 
T 
rT 


The row type label used for readability. 


The time that the first DLC Station object 
could not be created. 


The time that the first AppleTalk Network 
Station object could not be created. 


D NetApple 
E NetDEC 
F NetIP 


G NetISO 


D 
D 
D The time that the first DECnet Network 


Station object could not be created. 


The time that the first IP Network Station 
object could not be created. 


DT 
DT The time that the first ISO Network Station 


object could not be created. 


H NetNov The time that the first IPX Network Station 


object could not be created. 


NetXNS 


The time that the first XNS Network Station 
object could not be created. 


ela 


J CnxADSP DT The time that the first AppleTalk ADSP 
Connection object could not be created. 

K CnxATP DT The time that the first AppleTalk ATP 
Connection object could not be created. 

L CnxDEC DT The time that the first DEC Connection 


object could not be created. 
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Column 


Column 
Data 


CnxlSO DT 
N CnxLAT 
0 CnxNBP 


CnxNETB 


CnxNETBPEP 
CnxNOVPEP 


CnxXNSPEP 


CnxSPP 


CnxX25 


DT 


DT 


Appl 


Subnet 


SubnetPair 


DT 


DT 


DT 


SpanChange 


AB 


ZIPStorm 


AC 


AD 


Burst 


Diag 


DT 


Description 


The time that the first ISO Connection 
object could not be created. 


The time that the first DEC LAT Connection 
object could not be created. 


The time that the first NBP Connection 
object could not be created. 


The time that the first NetBIOS Connection 
object could not be created. 


The time that the first PEP over NetBIOS 
Connection object could not be created. 


The time that the first PEP over IPX 
Connection object could not be created. 


The time that the first TCP Connection 
object could not be created. 


The time that the first UDP Connection 
object could not be created. 


The time that the first PEP over XNS 
Connection object could not be created. 


The time that the first SPP Connection 
object could not be created. 


The time that the first X.25 Connection 
object could not be created. 


The time that the first Application object 
could not be created. 


The time that the first Subnet object could 
not be created. 


The time that the first Subnet Pair object 
could not be created. 


The time that the first Spanning Tree 
topology change Global Symptom object 
could not be created. 


The time that the first ZIP storm Global 
Symptom object could not be created. 


The time that the first Burst Global 
Symptom object could not be created. 


The time that the first Diagnosis object 
could not be created. 
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Expert Configuration (Row Types 200 - 203 and 250) 


The Expert Configuration section contains five subsections that specify all the 
user-configurable Expert analyzer threshold settings to help you interpret the data in 
the output file. The five subsections are as follows: 


* DLC Sinisa Thechalde teow type 200) 

e Network Station Thresholds (row type 201) 
© Connection Thresholds (row type 202) 

e Application Thresholds (row type 203) 
Subnet Masks (row type 250) 


The threshold values are those in effect when you save the output file. If you change 
the settings after the capture but before you save the output file, the new settings will 
be used and they may not reflect those used during the capture. 


The Expert Configuration section begins with the following label row: 


0,"Expert Configuration", 


DLC Station Thresholds (Row Type 200) 


The DLC Station Thresholds subsection contains row type 200, which specifies the 
threshold settings in the analyzer’s Expert Config\ Thresholds\DLC station menu. 


The following is an example of the DLC Station Thresholds subsection in the output 
file: 


0,"DLC Station Thresholds" ,<CR> 

1200,WANOverload, LANOverload, OverloadTim, WANUndrload, UndrloadTim, LANO 
verldP, BroadcastSy, BroadcastDg, ZIPStorm, CongestionP, RingEntries, 
RXCong, StnRemoved, RingErrors,RngPurgeSy, RngPurgeDg, PhysicalErr,<CR> 
200) .,30y 4%. 720,40, 120),.10) 105 4 py pp eh RCRE 


The following table describes the column data for row type 200. 


Column Description 


Row type 200 specifies DLC Station 
thresholds. 


WANOverload The load on the WAN that triggers an 


overload symptom (WAN only). 


LANOverload The load on the LAN that triggers an 


overload symptom (LAN only). 


The duration in seconds before the 
analyzer diagnoses that the WAN is 
overloaded (WAN only). 


OverloadTim 
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Expert Configuration (Row Types 200 - 203) 


Column 


Data Description 


E WANUndrload The load on the WAN that triggers an 
underload symptom (WAN only). 
F UndrloadTim The duration in seconds before the 


analyzer diagnoses that the WAN is 
underloaded (WAN only). 


The percentage of each minute that the 
network is overloaded (LAN only). 


LANOverldP 
BroadcastSy 


BroadcastDg TH The number of broadcasts per second that 
triggers a diagnosis. 


The number of broadcasts per second that 
triggers a symptom. 


J ZIPStorm TH The number of ZIP Queries per minute that 
triggers a symptom. 


K CongestionP TH The point at which the analyzer generates 
congestion-related symptoms (WAN only). 


L RingEntries TH The number of ring entries per minute per 
station that triggers a diagnosis (token ring 
only). 

M RXCong TH The number of RX congestion errors per 
minute per station that triggers a diagnosis 
(token ring only). 


N StnRemoved TH The number of station removed requests 
per minute that triggers a diagnosis (token 
ring only). 

e) RingErrors TH The number of line/burst errors per minute 


that triggers a diagnosis (token ring only). 


P RngPurgeSy TH The number of ring purges per minute that 
triggers a symptom (token ring only). 


Q RngPurgeDg TH The number of ring purges per minute that 
triggers a diagnosis (token ring only). 


R PhysicalErr TH The number of physical errors per second 
per station that triggers a diagnosis. 
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Network Station Thresholds (Row Type 201) 


The Network Station Thresholds subsection contains row type 201, which specifies the 
threshold settings in the analyzer’s Expert Config\ Thresholds \Network station 
menu. 


The following is an example of the Network Station Thresholds subsection in the 
output file: 


0,"Network Station Thresholds", <CR> 
1201,DECHello, DuplicateP,MultRouters,<CR> 
201,,20,.20,,3,,<CR> 


The following table describes the column data for row type 201. 


Column 
Data 


ik 
DECHello TH 
DuplicateP 


Column Description 


Row type 201 specifies the Network 
Station thresholds. 


If the DECnet hello timer is less than the 
number of seconds specified for the 
threshold for DECHello, a symptom is 
triggered. 


The maximum percentage discrepancy 
between the normal and measured 
DECHello timer to trigger a duplicate 
address diagnosis. 


The number of local routers that can route 
traffic to a remote station that triggers a 
diagnosis (LAN only). 


Connection Thresholds (Row Type 202) 
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The Connection Thresholds subsection contains row type 202, which specifies the 
threshold settings in the analyzer’s Expert Config\ Thresholds \Connection menu. 


The following is an example of the Connection Thresholds subsection in the output 
file: 

0,"Connection Thresholds" ,<CR> 

1202,NoResponses,RetransP, ZeroWindow, IdleTimer,FastRetrans, 
TCPKeepAlv, DECKeepAlv, PAPWait,<CR> 

202,,.3%, 10,510,100; 25i,/5.5 L20,<CR> 


The following table describes the column data for row type 202. 
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Column 


rowtype 


Description 


Row type 202 specifies the Connection 
thresholds. 


RetransP 


NoResponses 


The number of consecutive 
retransmissions without responses to 
trigger a diagnosis. 


ZeroWindow 
IdleTimer 
FastRetrans 


TCPKeepAlv 


DECKeepAlv 


TH The maximum acceptable percentage of 
retransmitted packets versus successfully 
transmitted packets to trigger a diagnosis. 

TH The duration in seconds of a zero window 


before a symptom is triggered. 


The maximum time in minutes that a 
connection can remain idle. 


The minimum time in milliseconds 
between packet retransmissions. 


The number of-seconds before a 
transmitted frame represents a TCP 
keepalive frame instead of real 

transmission. 


The number of seconds before a 
transmitted frame represents a DEC 
keepalive frame instead of real 
transmission. 


PAPWait 


TH 


E! 


Application Thresholds (Row Type 203) 
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If the AppleTalk PAP OpenCom WaitTime is 
longer than the number of seconds 
specified here, a symptom is triggered. 


The Application Thresholds subsection contains row type 203, which specifies the 
threshold settings in the analyzer’s Expert Config\Thresholds\ Application menu. 


The following is an example of the Application Thresholds subsection in the output 


file: 


0,"Application Thresholds", <CR> 
1203 ,MinApplReq, RespTime, SlowRespP, FilterTime, DeniedCount, DeniedReqP, 
LoopP, LocalXfer,RemoteXfer, SlowFileP, <CR> 
203,100,100; 20,12, 20,,3:0,,,200 ,50,30,.<CR> 


The following table describes the column data for row type 203. 
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Column gla 
Column Type Description 
Data 
Code 
A rowtype RT Row type 203 specifies the Application 
thresholds. 
B MinApp!IReq TH The minimum number of application 
requests required for a diagnosis. 
Cc RespTime TH The time in milliseconds between slow 
responses. 
D SlowRespP TH The percentage of slow responses versus 


good responses to trigger a diagnosis. 


E FilterTime TH The maximum time interval in seconds 
during which the analyzer counts repeated 


requests and denied requests. 


F DeniedCount The number of denied requests during 
FilterTime to trigger a symptom. 


G DeniedReqP The maximum acceptable percentage of 
denied versus successful requests before 
a diagnosis is triggered. 


H LoopP TH The maximum acceptable percentage of 
loops versus non-repeated requests before 
a diagnosis is triggered. 


| LocalXfer TH The minimum acceptable rate of data 
transfer in kilobytes per second between 
two stations on a segment (LAN only). 


4} RemotexXfer The minimum acceptable rate of data 
transfer in kilobytes per second between 
two stations separated by at least one 
bridge or router. 


K SlowFileP The maximum percentage of slow file 
transfers versus normal file transfers. 
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Subnet Masks (Row Type 250) 


The Subnet Masks subsection contains row type 250, which specifies the user-definable 
subnet masks in the analyzer’s Expert Config\Subnet masks menu. 


The following is an example of the Subnet Masks subsection in the output file: 
0,"Subnet Masks" ,<CR> 
1250, IPNetAddr, SubnetMask, <CR> 


290,="<Classa",, =" [(255.255:0.0]", <CcR= 


The following table describes the column data for row type 250. 


Column 


Column Data 


Description 


Row type 250 specifies the subnet masks. 


IPNetAddr A particular IP network address, for 
example, "[123.1.1.1]", or one of the 
following three classes, surrounded by 
less than/greater than signs (<>): 
<ClassA> 

<ClassB> 


<ClassC> 


The subnet mask corresponding to the IP 
network address in the above column. 


SubnetMask 
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Global Statistics (Row Types 300 - 306) 


The Global Statistics section contains three subsections that include all the values on 
the Expert Global Statistics display that are global to the network segment and not 
logically under any particular object. The three subsections are as follows: 


e General Statistics (row type 300) 
e Traffic Level (row types 301 - 304) 
e Traffic by Protocol Family (row types 305 - 306) 


The Global Statistics section begins with the following label row: 


0,"Global Statistics", 


General Statistics (Row Type 300) 
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The General Statistics subsection contains row type 300, which provides general 
information about the capture session, including the network bandwidth, the number 
of frames observed on the network, and the number and percentage of frames that were 
analyzed by the Expert analyzer. 


The following is an example of the General Statistics subsection in the output file: 
0,"General" ,<CR> 

1300, Bandwidth, Frms, FrmsAnal, PAnal, ByteBlocks, BlockSize, 
ByteRemainder , <CR> 


300,10000000,555105,555105,100,8,16777215,3723565,<CR> 


The following table describes the column data for row type 300. 


Data 
Column Type 
Data Code 


Bandwidth 


Column Description 


Row type 300 specifies general information 
about the capture. 


The bandwidth of the network in bits per 
second. The bandwidth counter for Ethernet 
is 10 Mbps; for Token ring it is 4 Mbps or 16 
Mbps; for the Sniffer Internetwork Analyzer, 
bits per second is autodetected by the 
analyzer and, because of measurement 
variability, may differ slightly from the actual 
bandwidth (for example, 56001 instead of 
56 kbps). 


The total number of frames seen by the 
analyzer. 
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Column Bara 
Column Type Description 
Data 
Code 
D FrmsAnal C4 The total number of frames analyzed by the 
Expert analyzer. This may be less than the 
total number of frames seen by the analyzer 
if the Expert had to skip frames during 
periods of heavy traffic. 
E PAnal The percentage of frames seen by the driver 
that were analyzed by the Expert: 
100 * FrmsAnal / Frms 
F ByteBlocks C4 This column value and the two that follow 
allow you to calculate the total number of 
bytes analyzed by the Expert analyzer. 
(ByteBlocks * BlockSize) + ByteRemainder = 
total bytes 
G BlockSize C4 See description above. 
H ByteRemainder C4 See description above. 


Traffic Level (Row Types 301 - 304) 


Row Type 301 
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The Traffic Level subsection contains row types 301, 302, and 303, which provide 
information about the percentage bandwidth utilization during the capture session. For 
the Sniffer Internetwork Analyzer (W/AN/Synchronous) information is given for both 
DTE and DCE sides. 


The following is an example of the Traffic Level subsection in the output file: 


0,"Traffic Level",<CR> 

1301, ,Avg,Curr,Max,<CR> 

301, Util,37;78,<CR> 

302, DTBUCLL» - 5) <GR> 

303; DCBUtLL,,» ,<CRe 

304, Pkts/sec,135,394,2039,<CR> 


Row type 301 provides information about the actual network traffic, compared as a 
percentage, to the maximum bandwidth possible. Maximum and current utilizations are 
based on a one-second time interval. 
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Row Type 302 
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i» 


Column Description 


Row type 301 specifies overall utilization 
during a capture. 


The row type label used for readability. 


The total number of bytes received since the 
start of capture versus the maximum number 
of bytes that could have been received in that 
period given the bandwidth: 

100 * total bytes / Bandwidth * Duration 


The current bandwidth usage is continually 
recalculated every second during capture. The 
value that is given in the file is the one for the 
last full second of the capture. 


The largest of the current bandwidth usage 
values. 


Row type 302 provides information about the actual network traffic compared, as a 
percentage, to the maximum bandwidth possible for the DTE side. Note that the 
bit-stuffing process is ignored, and that utilization is defined so that the maximum for 
each side is 100, not 50. 


If you are not using the Sniffer Internetwork Analyzer, the following column values are 
undefined. 


Column Description 


Row type 302 specifies DTE utilization during 
a capture. 


DTEUtil The row type label used for readability. 


The total number of bytes received since the 
start of capture versus the maximum number 
of bytes that could have been received in that 
period given the bandwidth: 

100 * total bytes / Bandwidth * Duration 
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Column 


Column Data 


Description 


The current bandwidth usage is continually 
recalculated every second during capture. The 
value that is given in the file is the one for the 
last full second of the capture. 


The largest of the current bandwidth usage 
values. 


Row Type 303 


Row type 303 provides information about the actual network traffic compared, as a 
percentage, to the maximum bandwidth possible for the DCE side. Note that the 
bit-stuffing process is ignored, and that utilization is defined so that the maximum for 


each side is 100, not 50. 


Cd If you are not using the Sniffer Internetwork Analyzer, the following column values are 


undefined. 


Column 


Column Dats Description 
Code 
rowtype RT Row type 303 specifies DCE utilization during 
a capture. 
DCEUtil SP The row type label used for readability. 

Cc Avg The total number of bytes received since the 
start of capture versus the maximum number 
of bytes that could have been received in that 
period given the bandwidth: 

100 * total bytes / Bandwidth * Duration 

D Curr PO The current bandwidth usage is continually 
recalculated every second during capture. The 
value that is given in the file is the one for the 
last full second of the capture. 

Ee Max PO The largest of the current bandwidth usage 


values. 
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Row Type 304 


Row type 304 provides you with information about the average, current, and maximum 
number of packets per second observed by the Expert analyzer during the capture 
session. 


Column Description 


Column ies 
Data Sno 
oa 


Row type 304 specifies the number of 
packets per second observed during the 
capture. 


The row type label used for readability. 


The average number of packets per second 
since the start of capture. 


The current number of packets per second in 
the last one-second period. 


The maximum number of packets per second 
for any one-second period. 


Traffic by Protocol Family (Row Types 305 - 306) 


Row Type 305 


=> 
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The Traffic by Protocol Family subsection contains row types 305 and 306, which 
provide a percentage breakdown by protocol family of all detected network traffic. 


The following is an example of the Traffic by Protocol Family subsection in the output 


file. 


0,"Traffic by Protocol Family", <CR> 

1305, ,AppleTalk, Banyan, DECnet ,MAC,NetBIOS,NetWare,OSI,SNA,TCPIP, 
XNS,HDLCSDLC, X25, FrmRelay, Others, <CR> 

305, %Bytes,0.00,0.00,0.00,,0.00,34.01,0.00,0.00,65.35,0.00,,,, 
0.20,<CR> 
306,Frms,0,0,136,,163,201025,0,0,348936,0,,,,4845,<CR> 


Row type 305 specifies the percentage of bytes belonging to the various protocol 
families observed by the Expert analyzer during the capture session. 


The column value is undefined if the protocol is not possible. 
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Column i ; 
Column Type Description 
Data 
Code 
A Row type 305 indicates the composition of 


traffic by protocol family. 


n a 
4 


w 
3 
: 
U 


%Bytes The row type label used for readability. 


Cc AppleTalk P2 The percentage of bytes belonging to the 
AppleTalk protocol family. 
D P2 The percentage of bytes belonging to the 


Banyan protocol family. 


The percentage of bytes belonging to the 
DECnet protocol family. 


—- 
2 oa 
Se aol 
i coal 


| 
j = 


The percentage of bytes belonging to the MAC 
protocol family. 


The percentage of bytes belonging to the 
NetBIOS protocol family. 


The percentage of bytes belonging to the 
NetWare protocol family. 


The percentage of bytes belonging to the OSI 
protocol family. 


The percentage of bytes belonging to the SNA 
protocol family. 


The percentage of bytes belonging to the 
TCP/IP protocol family. 


The percentage of bytes belonging to the XNS 
protocol family. 


M HDLCSDLC The percentage of bytes belonging to the 
HDLC/SDLC protocol family. 
N X25 P2 The percentage of bytes belonging to the X.25 


protocol family. 


The percentage of bytes belonging to the 
Frame Relay protocol family. 


O FrmRelay 


The percentage of bytes belonging to any 
other protocol families. 
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Row Type 306 


Row type 306 specifies the number of frames belonging to each protocol family 
observed by the Expert analyzer during the capture session. 


-_ The column value is undefined if the protocol is not possible. 


Description 


Row type 306 indicates the number of frames 
seen from the various protocol families. 


The row type label used for readability. 


The number of AppleTalk frames seen. 


The number of Banyan frames seen. 
The number of DECnet frames seen. 
The number of MAC frames seen. 
The number of NetBIOS frames seen. 
The number of NetWare frames seen. 
The number of OSI frames seen. 


The number of SNA frames seen. 


The number of TCP/IP frames seen. 
The number of XNS frames seen. 


The number of HDLC/SDLC frames seen. 


The number of X.25 frames seen. 


Data 
Column Type 
Code 
A rowtype RT 
B Frms SP 
EF MAC c4 
G NetBIOS C4 
H | Netware c4 
| osI 
J SNA C4 
K TCPIP C4 
L XNS 
N X25 c4 
O FrmRelay C4 
P Others c4 
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The number of Frame Relay frames seen. 


The number of frames seen from any other 
protocol families. 
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Expert Overview (Row Types 400 - 402) 


Row Type 400 


= 
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The Expert Overview section contains row types 400, 401, and 402, which provide 
information about the contents of the top-level Expert Overview display. The number 
of network objects, symptoms, and diagnoses detected by the Expert analyzer at the 
various Expert layers at the end of a capture session is specified. 


The following is an example of the Expert Overview section in the output file. 


0,"Expert Overview" ,<CR> 
1400,,Apps,Conns,NetStations, Subnets, SubnetPairs,DLCStations, 
GlobalSymps , <CR> 

400,0bjects,35,162,191,35,27,62, ,<CR> 
401,Symps,722,1644,81,,,26,16,<CR> 

402, Diage,.0,27,2. 9-0. ,<CR> 


Row type 400 provides information about the number of network objects detected by 
the Expert analyzer at the various Expert layers at the end of a capture session. 


Objects destroyed in the process of recycling memory are not counted. 


Column Description 

A rowtype RT Row type 400 specifies the number of objects 
in the Expert Overview display at the end of a 
capture session. 

B Objects SP The row type label used for readability. 

Cc Apps The number of Application objects. 

D Conns The number of Connection objects. 

E; NetStations The number of Network Station objects. 

F Subnets C2 The number of Subnet objects. 
(The Expert Overview display does not 
currently display subnets, although they are 
maintained in the Expert analyzer database in 
support of the Subnet Pairs feature.) 

G SubnetPairs C2 The number of Subnet Pair objects. 

H DLCStations C2 The number of DLC Station objects. 


| GlobalSymps C2 This column value is undefined. See the 
GlobalSymps column in row type 401 for what 
is both the object and symptom count. 


85 


Expert Analyzer Output File Format 


Row Type 401 


Row type 401 indicates the number of symptom objects detected by the Expert analyzer 
at the various Expert layers at the end of a capture session. These are separate, 4-byte 
counts that are incremented with each symptom and are not decremented as objects are 
recycled. Therefore, they may add up to more than the sum of all symptoms in all 
current objects. Also, symptom counters within objects are 2 bytes and thus may 
overflow while the 4-byte symptom count for that layer keeps incrementing (when this 
happens, the symptom counter’s value freezes at 65535). 


There is, however, no such 4-byte counter for Global Symptoms. The count is the 
number of current Global Symptom objects (up to a maximum of 50). 


Column Data 
Column Type Description 
Data 
Code 


Row type 401 specifies the number of 
symptoms in the Expert Overview display at 
the end of a capture session. 


ies} 


Symps The row type label used for readability. 


(o>) 


The number of symptoms that are associated 
with Application objects. 


ie) 
4 


QO!;]on a 
| U - 


The number of symptoms that are associated 
with Connection objects. 


D Conns 


C 


B 


NetStations The number of symptoms that are associated 


with Network Station objects. 


F Subnets This column value is undefined. Symptoms 
are currently never attributed to Subnet 
objects. Instead, they may be attributed to the 
Network Station of the router advertising the 
subnet. See AppleTalk Network Station 


Symptoms. 


G SubnetPairs This column value is undefined for the same 
reason as the column value for Subnets 


above. 


H DLCStations C4 The number of symptoms that are associated 


with DLC Station objects. 


z 3 
. $ 
3 


| GlobalSymps C2 The current number of Global Symptom 
objects (that is, overloads, underloads, 
broadcast/multicast storms, ZIP storms, and 
Spanning Tree topology changes). With 
recycling, this may be less than the total 
since start of capture. 
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Row Type 402 
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Row type 402 indicates the number of diagnosis objects detected by the Expert analyzer 
at the various Expert layers at the end of a capture session. 


Column 
Data 


Diags 


ies} 
a 
: g 
3 
® 


D Conns 


E NetStations 


F Subnets 


SubnetPairs 


H DLCStations 


GlobalSymps 


Q 


Data 
Type 


i?) 


QO n a 
Le) NO NO} U od 


C 


C2 


Description 


Row type 402 specifies the number of 


diagnoses in the Expert Overview display at 


the end of a capture session. 
The row type label used for readability. 


The number of diagnosis objects at the 
Application layer. 


The number of diagnosis objects at the 
Connection layer. 


The number of diagnosis objects at the 
Network Station layer. 


This column value is undefined. Diagnoses 
currently do not apply to this layer. 


This column value is undefined. Diagnoses 
currently do not apply to this layer. 


The total number of diagnoses at the DLC 
Station and Global Symptom layers. 


This column value is undefined. Diagnoses for 


this layer are tracked at the DLC layer. 
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DLC Stations (Row Type 500) 


The DLC Station section contains row type 500, which provides information about 
every DLC Station object observed by the Expert analyzer during a capture session. This 
includes the network topology, the counts and timing, and the symptoms related to a 
DLC Station. (A DLC Station object is created for every Physical layer address 
observed, including broadcast addresses.) 


The following is an example of the DLC Stations section in the output file. 


0,"DLC Stations" ,<CR> 

1500,0bj,1stFrm, LastFrm, Protocol ,Addr,Name, Type, Router, Server, 
FrmsOut, BytesOut, FrmsIn, BytesIn, BroadsOut, PhysErrsOut, PhysErrsin, <CR> 
500,75,12/12/93 15:50:32,12/12/93 16:54:34,"Ethernet (IP, Netware)", 
="0080A3043E2C",,"Peripheral Device",0,8,2,132,1,60,0,0,0,<CR> 


The following table describes the column data for row type 500. 


Column Data 
Column D Type Description 
ata 
Code 


A rowtype RT Row type 500 provides information about DLC 
Station objects. 


B Obj ae The station's unique object ID. 
DT 


Cc 1stFrm The time of the first activity observed for this 
object (the first frame sent either from or 
directly to this station). 


D The time of the most recent activity for this 
object (the last frame sent either from or 
directly to this station). 

E Protocol A list of DLC protocols observed into or out of 
this station. 

F Addr SN The Physical layer address. 

G Name SN The learned name, if any, for this station. 

H Type Sc A string that describes the 


router/server/bridge functionality observed 
above in this DLC address. If no 
router/server/bridge functionality is observed, 
the column indicates "workstation". 
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Column Description 

| A bitmap that represents the router 
information in the Type column above, in 
numerical form so it is more easily processed. 

This is a decimal number because certain 

spreadsheet applications treat hex numbers 

as strings. The bit values (not always mutually 
exclusive) are as follows: 

Ox001 Multiple net addresses per DLC 
address (This occurs when multiple 
network addresses have been seen 
over this physical address, and the 
analyzer is not yet certain if itis a 
router. This is mutually exclusive 
with the other bits.) 

0x002 DECNET Level 1 router 

0x004 DECNET Level 2 router 

0x008 TCP RIP router 

Ox010 TCP CISCO IGRP router 

Ox020 TCP - saw ICMP source quench 

0x040 Novell router 

0x080 XNS RIP router 

Ox100 AppleTalk router 

Ox4000 = Spanning Tree bridge 

Ox8000 Source routing bridge 

J Server A bitmap that represents the server 
information in the Type column above, in 
numerical form so it is more easily processed. 

This is a decimal number because certain 

spreadsheet applications treat hex numbers 

as strings. The bit values (not mutually 
exclusive) are as follows: 

OxO1 Novell server 

0x02 NFS server 

0x04 Yellow Pages server 

0x08 Peripheral device, such as printer, 
disk server, and so on. 

Ox10 AppleTalk AFP server 

0x20 AppleTalk PAP server 

ie 0x40 AppleTalk TOPS server 
K FrmsOut The number of frames sent by this station. 
EE BytesOut oil The number of bytes in the frames sent by this 
station. 
M Frmsin The number of frames received by this station, 
not including broadcasts. 
N BytesIn The number of bytes received by this station, 


not including broadcasts. 
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Column 


Column Data 


Description 


BroadsOut The number of broadcasts or multicasts sent 


by this station. 


P PhysErrsOut The number of frames with physical errors 
sent by this station. 
Q PhysErrsIn The number of frames with physical errors 


received by this station, not including 
broadcasts or multicasts. 
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Subnets (Row Type 501) 
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The Subnets section contains row type 501, which provides information about every 
Subnet object observed by the Expert analyzer during a capture session. (A Subnet 
object is created for every logical, addressable subnet observed. Therefore, two Subnet 


objects would be created to model a physical segment supporting both IP and 
NetWare.) 


The following is an example of the Subnets section in the output file. 


0,"Subnets" ,<CR> 

1501,0bj,Class, Protocol, Addr,Name,Local,DLCs,DLCObj1, 
Hops1,DLCObj2,Hops2, DLCObj3 , Hops3, DLCObj4,Hops4,DLCObj5,Hops5, 
DLCObj6,Hops6, DLCObj7,Hops7, DLCObj8 ,Hops8, Zones , <CR> 

501,31, “AppleTalk",="10549-10549",.,1,2,12).ydiply pax dapper ga OpSER> 


The following table describes the column data for row type 501. 


Data 
Column ope 
Column Type Description 
Data 
Code 
rowtype 


A RT Row type 501 provides information about 
Subnet objects. 

B Obj OB The subnet's unique object ID. 

Cc Class CL The numeric code for the subnet’s protocol 
family specified in the Protocol column below: 
1 AppleTalk 
2 DECnet 
3 IP 
4 ISO 
5 NetBIOS 
6 IPX 
rf XNS 

D The subnet's protocol family. 

E The subnet’s address. 

F Name SN The learned name, if any, for the subnet. For 
AppleTalk, this is the most recently learned 
zone name for the subnet (“network”). 

G Local BO 1 indicates that this subnet is local to the 
segment where the capture was taken. 

O indicates that this subnet is not local to the 
segment where the capture was taken. 

H DLCs C2 The number of routers (up to 8) that are 
routing traffic to and from this subnet from 
the segment where the capture was taken. 
The following 16 fields list these routers and 
the minimum number of hops observed 
through the routers to the subnet. 
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Column 


The object ID of the first router’s DLC Station 


through the second router. (This column value 
is undefined if the value of the DLCs column 


The object ID of the third router’s DLC Station 
object. (This column value is undefined if the 
value of the DLCs column above is less than 


through the third router. (This column value is 


through the fourth router. (This column value 
is undefined if the value of the DLCs column 


The object ID of the fifth router’s DLC Station 
object. (This column value is undefined if the 
value of the DLCs column above is less than 


through the fifth router. (This column value is 


The object ID of the sixth router’s DLC Station 


Column Rate 
Type Description 
Data 
Code 

DLCObj1 OB 
object. 

Hops1 C2 The minimum number of hops observed 
through the first router. 

DLCObj2 OB The object ID of the second router’s DLC 
Station object. (This column value is 
undefined if the value of the DLCs column 
above is less than two.) 

Hops2 C2 The minimum number of hops observed 
above is less than two.) 

DLCObj3 OB 
three.) 

Hops3 C2 The minimum number of hops observed 
undefined if the value of the DLCs column 
above is less than three.) 

DLCObj4 The object ID of the fourth router’s DLC 
Station object. (This column value is 
undefined if the value of the DLCs column 
above is less than four.) 

Hops4 C2 The minimum number of hops observed 
above is less than four.) 

DLCObj5 OB 
five.) 

Hops5 C2 The minimum number of hops observed 
undefined if the value of the DLCs column 
above is less than five.) 

DLCObj6 OB | 


=i 


object. (This column value is undefined if the 
value of the DLCs column above is less than 
Six.) 
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Data 
Column 

Column Data Type 

Code 
Ty Hops6 
uU DLCObj7 i 
Vv Hops7 
Ww DLCObj8& ee 
| 


Description 


The minimum number of hops observed 
through the sixth router. (This column value is 
undefined if the value of the DLCs column 
above is less than six.) 


The object ID of the seventh router’s DLC 
Station object. (This column value is 
undefined if the value of the DLCs column 
above is less than seven.) 


The minimum number of hops observed 
through the seventh router. (This column 
value is undefined if the value of the DLCs 
column above is less than seven.) 


The object ID of the eighth router’s DLC 
Station object. (This column value is 
undefined if the value of the DLCs column 
above is less than eight.) 


The minimum number of hops observed 
through the eighth router. (This column value 
is undefined if the value of the DLCs column 
above is less than eight.) 


(AppleTalk only) 


O indicates that the number of zones in this 
subnet is not determined. 

1 indicates that there is one zone name 
(always the case if the network is 
non-extended and not provisional). 

2 indicates that there are at least two zone 
names. 
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Subnet Pairs (Row Type 502) 


The Subnet Pairs section contains row type 502, which provides information about 
every Subnet Pair object observed by the Expert analyzer during a capture session. (A 
Subnet Pair object is created for every pair of subnets with traffic observed between 
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them.) 


The following is an example of the Subnet Pairs section in the output file. 


0,"Subnet Pairs",<CR> 
1502,0bj,Class, Protocol,Obj1,0bj2,Addr1,Addr2,Hops1,Hops2, 
Hops1to2,Frms,CnxSymps , AppSymps , <CR> 

5028, 601335. "LP" ,4,6;=" (L6L.69.105)'",=" (6. 69:,108)",2;:173:,290;,; ,<CR> 


The following table describes the column data for row type 502. 


Column 


A 


Data 

Column Type 

Data Code 
rowtype RT 


[af 
ai 


E Obj1 

F Obj2 

G Addri 

H Addr2 

| Hopsi 

J Hops2 

K Hopsito2 
L Frms 

M CnxSymps 
N AppSymps 


SN 
C2 
C2 
C4 
C4 


C4 


Description 


Row type 502 provides information about 
Subnet Pair objects. 


The subnet pair's unique object ID. 


The numeric code for the subnet’s protocol 
family specified in the Protocol column below: 
AppleTalk 

DECnet 

IP 

ISO 

NetBIOS 

IPX 

XNS 


NOOBRWNE 


The subnets’ protocol family. 


The object ID's of the two subnets in the pair 
so they can be found in the Subnet list. 


The addresses for the two subnets in the pair. 


The number of hops away each subnet is from 
the segment being observed. 


The number of hops between the two 
subnets. 


The number of frames transmitted between 
the two subnets. 


The total number of symptoms in Connections 
between the two subnets. 


The total number of symptoms in Applications 
between the two subnets. 
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Network Stations (Row Type 503) 


The Network Station section contains row type 503, which provides information about 
every Network Station object observed by the Expert analyzer during a capture session. 
(A Network Station object is created for every Network layer address observed, 
including broadcast addresses.) 


The following is an example of the Network Stations section in the output file: 


0,"Network Stations" ,<CR> 
1503,0bj,Class,1stFrm,LastFrm, Protocol, Addr,Name, Type, Router, Server, 
Broadcast, SubnetObj,Hops,DLCs,DLCObj1,SrcDst1,DLCObj2,SrcDst2, 
DLCObj3, SrcDst3, DLCObj4,SrcDst4,DLCObj5, SrcDst5,DLCObj6,SrcDst6, 
DLCObj7,SrcDst7,DLCObj8,SrcDst8,FrmsOut, BytesOut, FrmsIn, BytesIn, 
Conns,SNMPs,ICMPs,DNSs,ARPs,DuplAddr, ZeroBroads, BroadSrc, BadMask, 
MultiRtrLoc,MultiRtrRem, BadAdv, FragsLost, FragOrder,DestUnreachs, 
SrcQuenchs, Redirects, TimeExcds, BadAddr, SmallHello, BadHops, BadRTMP, 
LocalClash, RangeClash, ZIPQuery, Phasel2,Rtr2Nowhere, <CR> 
503,7,1,5/20/93 09:52:42,5/20/93 09:57:06, "AppleTalk" ,="10549.195", 
="INTERNETOM:Q_Server@*", "Workstation",0,0,0,3,0,2,6,3,12,1,,, 44,0404 
Lp 3 L095 12, 912. Qi gpg 0, OY OL A0 0 (LS paceg gn Ow 070.7 O00; 0; SERS 


The following table describes the column data for row type 503. 


Data 
Column ay 
Column Type Description 
Data 
Code 


Row type 503 provides information about 
Network Station objects. 


The station's unique object ID. 


a 
J 


CL The numeric code for the protocol family 
specified in the Protocol column below: 

AppleTalk 

DECnet 

IP 

ISO 

NetBIOS 

IPX 

XNS 


NOOBWNEFR 


DT The time of the first activity observed for this 
object (the first frame sent either from or 
directly to this station). 


The time of the most recent activity for this 
object (the last frame sent either from or 
directly to this station). 


QO 


ae 
4 


F S The network station's protocol family. 
G Addr SN The Network layer address. 
H Name SN The learned name, if any, for this station. 
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Data 
Type Description 
Code 


Column 


Column Data 


wn 
io) 


A string that describes the 
router/server/bridge functionality observed in 
this address. 


Type 


—< 
I) 


J Router A bitmap that represents the router 
functionality in this network station. See the 
Router column of the DLC Stations row for 


mapping. 


Server A bitmap that represents the server 
functionality in this network station. See the 
Server column in the DLC Stations row for 


mapping. 


1 indicates that this network station is a 
broadcast or multicast address. O indicates 
that it is a full-fledged network station with 
possible router/server functionality, 
symptoms, and so on. 


L Broadcast 


M SubnetObj The object ID of the station's subnet, so it 


can be found in the Subnet list below. 


io) 
i) 


N Hops The number of hops between the station and 
the segment where the Sniffer or DSS Server 


is connected. 


x 
= 
Re 


O DLCs 


i) 
NO 


The number of DLC stations observed under 
this network address. Information about a 
maximum of eight DLC stations is given. 


DLCObj1 The first DLC station’s object ID. 


ae] 


Q SrcDst1 


< 
e 


Whether any frames were sent to and from 
this DLC station. This column value is a 
bitmap: 

Ox01 Source 

Ox02 Destination 


R DLCObj2 OB The second DLC station’s object ID. 

Ss SrcDst2 M1 Whether any frames were sent to and from 
this DLC station. This column value is a 
bitmap: 


0x01 Source 
Ox02 Destination 


ils DLCObj3 OB The third DLC station’s object ID. 


U SrcDst3 M1 Whether any frames were sent to and from 
this DLC station. This column value is a 
bitmap: 

Ox01 Source 

Ox02 Destination 
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Description 


Whether any frames were sent to and from 
this DLC station. This column value is a 


Whether any frames were sent to and from 
this DLC station. This column value is a 


Whether any frames were sent to and from 
this DLC station. This column value is a 


Whether any frames were sent to and from 
this DLC station. This column value is a 


Whether any frames were sent to and from 
this DLC station. This column value is a 


The number of frames sent by the network 


The number of bytes in the frames sent by the 


The number of frames received by the network 


The number of bytes received by the network 


Column cai 
Column Data Type 
Code 
V DLCObj4 }OB The fourth DLC station’s object ID. 
W SrcDst4 M1 
bitmap: 
Ox01 Source 
Ox02 Destination 
X DLCObj5 fos | The fifth DLC station’s object ID. 
4 SrcDst5 M1 
bitmap: 
Ox01 Source 
0x02 Destination 
Z DLCObj6 fos | The sixth DLC station’s object ID. 
AA SrcDst6 M1 
bitmap: 
Ox01 Source 
0x02 Destination 
AB DLCObj7 fos | The seventh DLC station’s object ID. 
AC SrcDst7 M1 
bitmap: 
Ox01 Source 
0x02 Destination 
AD DLCObjs fos The eighth DLC station’s object ID. 
AE SrcDst8 M1 
bitmap: 
Ox01 Source 
Ox02 Destination 
AF FrmsOut C4 
station. 
AG BytesOut C4 
network station. 
AH Frmsin C4 
station, not including broadcasts. 
Al BytesIn C4 


station, not including broadcasts. 
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rm | 
Column Type Description 
Data 
Code 

AJ Conns C2 The number of connections engaged in, over 
time, by the network station. (Because of 
object recycling, this number may be higher 
than the actual number of current Connection 
objects involving this station.) 


AK SNMPs C2 The number of SNMP messages sent and 
received by the network station (IP only). 

AL ICMPs C2 The number of ICMP messages sent and 
received by the network station (IP only). 

AM DNSs C2 The number of DNS messages sent and 
received by the network station (IP only). 

AN ARPs C2 The number of ARP messages sent and 
received by the network station (IP only). 

AO DuplAddr 1 indicates a duplicate network address. O 
indicates no duplicate network address. 

AP The number of Zero broadcast addresses. 

AQ BroadSrc 1 indicates that the network source address 
is a broadcast address. O indicates that the 
network source address is not a broadcast 
address. 


AR BadMask 1 indicates an inconsistent subnet mask. O 
indicates no inconsistent subnet mask. 


AS MultiRtrLoc 1 indicates that the number of routers used 
to access a local station has reached the 
Multiple Routers threshold. 
O indicates the number of routers used to 
access a local station has not reached the 
Multiple Routers threshold. 


AT MultiRtrRem BO 1 indicates that there are multiple routers 
that can route to a remote station. O 
indicates that multiple routers can not route 
to a remote station. 


AU BadAdv BO 1 indicates an inconsistent advertisement of 
the server. O indicates no inconsistent 


advertisement of the server (NetWare only). 


AV FragsLost C2 The number of IP fragments missing (IP only). 


AW FragOrder BO 1 indicates that the IP fragment is 
out-of-order. O indicates that the IP fragment 


is not out-of-order (IP only). 
AX DestUnreachs C2 The number of destination unreachable 
messages (IP only). 
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Column ida 

Column Type 
Data 

Code 


AY 


AZ 


BA 


BB 


BC 


BD 


BE 


BF 


BG 


BH 


BI 


BJ 


BadAddr fall 


SmallHello 


Description 


The number of source quench messages (IP 
only). 


The number of redirects (IP only). 


The number of time exceeded messages (IP 
only). 


1 indicates a DEC bad HI address. 0 indicates 
no DEC bad HI address (DEC only). 


1 indicates a Small hello timer symptom. O 
indicates no Small hello timer symptom (DEC 


BadHops 


BadRTMP 


LocalClash 
RangeClash 
ZipQuery 


Phi2 


Rtr2Nowhere 


The number of bad hop symptoms (AppleTalk 


The number of Corrupt RTMP tuple symptoms 


BO 
only). 
C2 
only). 
C2 
(AppleTalk only). 
C2 


The number of local range conflicts (AppleTalk 
only). 


The number of network range conflicts 
(AppleTalk only). 


The number of Zip query symptoms (AppleTalk 
only). 


1 indicates that both Phase 1 and Phase 2 
are on the local network. O indicates that both 
Phase 1 and Phase 2 are not on the local 
network (AppleTalk only). 


1 indicates a router to nowhere. O indicates 
no router to nowhere (AppleTalk only). 
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Connections/Applications (Row Type 504) 
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The Connections/Applications section contains row type 504, which provides 
information about every connection observed by the Expert analyzer between network 
stations. For NetBIOS and DEC LAT protocols, information is provided about 
connections between DLC stations. 


The Expert analyzer creates a Connection object for every “significant” transport 
connection. “Significant” generally excludes overhead connections such as those used 
to obtain routing or name information. Also, not every transport protocol in every 
protocol family is supported, and if it is not supported, a Connection object will not be 
created for it. 


Depending on the protocol above the Transport layer, the Expert analyzer allocates an 
additional block of memory, called an Application object, to supplement the 
information provided by the Connection object. Application objects track events such 
as sequential transfers of data and look for symptoms like “read/write overlap” and “low 
throughput.” Information from the Application object, if any, is integrated into the rest 
of the connection information. Those column values will be undefined if an 
Application object was not created. 


In row type 504, a variety of information is given for both sides of a conversation. For 
this purpose, one node is arbitrarily designated as node 1 and the other as node 2, and 
column headings are named accordingly (for example, "Namel," "Name2," and so on). 


Practically all but the first fifteen columns in this row are protocol dependent. That is, 
certain column values are undefined for certain protocols. The protocols that are valid 
for each column are described in “Connection/Application Protocols” on page 77. 


In the columns that are protocol dependent, the column value may have a slightly 
different interpretation from protocol to protocol. Where appropriate, the column lists 
each protocol for which the column is defined and the exact wording that each protocol 
uses for the item on the Expert display. The table also uses the abbreviation “appl” to 
represent the Application object, as described in “Connection/Application Protocols” 
on page 77. For additional information about the Expert display, refer to the Analyzer 
Operations manual. 


The following is an example of the Connections/Applications section in the output file. 
This example shows only a few of the columns as this section contains over one 
hundred columns. 


0, "Connections/Applications" ,<CR> 
1504,0bj,Class,1stFrm, LastFrm, Transport, Protocol, DLCCnx,0Obj1, 
Obj2,Appl1ID1,ApplID2,Addr1,Addr2,Namel1,Name2,Login,Status,DLCs1, 
DLCs2, DLCObj11,DLCObj12 , DLCObj 21, DLCObj22 , DLCObj31, DLCObj32, 
DLCObj 41, DLCObj42,DLCObj51, DLCObj52, DLCObj 61, DLCObj62,DLCObj71, 


DLCObj72,DLCObj81,DLCObj82,SrcRtel,...<CR> 
504,23,9,12/12/93 15:50:32,12/12/93 16:54:34,6, "AppleTalk 
ATP" ,0,5,13,,,="10672.15",="10549.21",,,, "Connected", 

A The SIL eT te) cadence vei etidy ne eR 
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Column Pata 
Column Type Description 
Data 
Code 


rowtype Row type 504 provides information about 
Connection/Application objects. 


B Obj ue The connection's unique object ID. 


C Class CL The numeric code identifying the 
network/transport protocol combination: 
8 AppleTalk ADSP (over DDP) 

9 AppleTalk ATP (over DDP) 

10 DECnet 

11 ISO 

12 DEC LAT (directly over DLC stations) 
13  NBP (directly over DLC stations) 
14 PEP (over NetBIOS) 

15 PEP (over IPX) 

16 TCP (over IP) 

17 UDP (over IP) 

18 PEP (over XNS) 

19 SPP (over XNS) 

20 X.25 


D 1stFrm DT The time of the first activity observed for this 
object (the time when the first frame was 
seen on this connection). 


E LastFrm DT The time of the most recent activity for this 
object (the time that the last frame was seen 
on this connection). 


F Transport C2 The numeric code identifying the 
Transport-layer protocol: 
6 IP TCP 

7 ~~ IPUDP 

8 NetWare PEP 

9 NetWare SPP 

10 X.25 

11 NetBIOS 

12 NBP 

13 DEC 

14 DEC LAT 

15 AppleTalk ATP 

16 AppleTalk ADSP 


G Protocol SC The highest-layer protocol identified for the 

connection, and thus not necessarily the 

same as the underlying Transport protocol. 
For example, "X Windows," "Telnet." 
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Data 
Column ice Type Description 
Data 
Code 
H DLCCnx BO 1 indicates that this connection is between 
DLC stations. O indicates that this 
connection is between network stations. This 
is necessary so you know in which list to find 
"Obj1" and "Obj2." 
| OB The object IDs of the two stations having the 
J OB conversation so they can be found in the 
Network Station or DLC Station object lists. 
K AppllID1 SC "Application IDs" for the two sides (for 
L ApplID2 SC example, the port number being used for the 


connection). The AppllD varies by protocol. 


The network (or DLC) addresses for the 
stations. 


The learned names, if any, for the stations. 


M Addr. 

N Addr2 

O Namet 

P Name2 

: 
: 
S DLCs1 

a DLCs2 

U DLCObji1 

V DLCObj12 

W DLCObj21 

X DLCObj22 

Y DLCObj31 


The login name associated with the 
connection, if any. 


The connection's current status, for 
example, "Disconnected." 


The number of different DLC addresses (up 
to 8) seen under packets from Obj1 above. 


The number of different DLC addresses (up 
to 8) seen under packets from Obj2 above. 


The object ID of the DLC station owning the 
first DLC address in Obj1 above. 


Nn|nNW 
ZZ || ee 


The object ID of the DLC station owning the 
first DLC address in Obj2 above. 


The object ID of the DLC station owning the 
second DLC address in Obj1 above. 


The object ID of the DLC station owning the 
second DLC address in Obj2 above. 


The object ID of the DLC station owning the 
third DLC address in Obj1 above. 


Z DLCObj32 The object ID of the DLC station owning the 
third DLC address in Obj2 above. 

AA DLCObj41 The object ID of the DLC station owning the 
fourth DLC address in Obj1 above. 

AB DLCObj42 The object ID of the DLC station owning the 


fourth DLC address in Obj2 above. 
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Description 


The object ID of the DLC station owning the 
fifth DLC address in Obj1 above. 


The object ID of the DLC station owning the 
fifth DLC address in Obj2 above. 


The object ID of the DLC station owning the 
sixth DLC address in Obj1 above. 


The object ID of the DLC station owning the 
sixth DLC addresses in Obj2 above. 


The object ID of the DLC station owning the 
seventh DLC address in Obj1 above. 


The object ID of the DLC station owning the 
seventh DLC address in Obj2 above. 


The object ID of the DLC station owning the 
eighth DLC address in Obj1 above. 


The object ID of the DLC station owning the 
eighth DLC address in Obj2 above. 


The token ring source routing path being 
used for the connection. This column value 
will be undefined if the source routing does 
not apply, or if the source routing is not 
tracked for this connection transport 
protocol. This column value gives the 
ring/bridge number pair being used for up to 
8 hops in the path. The leftmost (most 
significant) 12 bits of the value is the ring 
number. The rightmost (least significant) 4 
bits of the value is the bridge number. The 
values are given in decimal because 

spreadsheet applications interpret hex 
numbers as strings. 


See SrcRte1 above. 


See SrcRte1 above. 
See SrcRte1 above. 
See SrcRte1 above. 
See SrcRte1 above. 


See SrcRte1 above. 


Column mats 
Column Data Type 
Code 
AC DLCObj51 i) 
AD DLCObj52 OB 
AE DLCObj61 OB 
AF DLCObj62 a 
AG DLCObj71 Ral 
AH DLCObj72 aa 
Al DLCObj81 lial 
AJ DLCObj82 Fee 
AK SrcRte1 | 
AL SrcRte2 
AM SrcRte3 
AN SrcRte4 C2 
AO SrcRte5 C2 
AP SrcRte6 
AQ SrcRte7 C2 
AR SrcRte8& C2 
AS 


Re 
NO 


See SrcRte1 above. 


The number of hops between the two 
network stations. 
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Column 


Column 
Data 


Frms 


Bytes 


Code 


i?) 
pS 


ie) 
ans 


Description 


The number of frames transmitted in both 
directions during the connection. 


The number of bytes transmitted in both 
directions during the connection. 


Protocol-Dependent Statistics Not Broken Out by Side 


The number of requests and commands. 


pep: Number of requests 
netb: Requests 
lat: Number of command frames 


The number of replies. 


pep: Number of replies 

netb: Replies 

lat: Number of reply frames 
atp: | ATP responses 


The percentage of useful data. 
lat: Useful data (%) 


The number of application requests. 
appl: Application requests 


The total number of file transfers. 
appl: Total file transfers 


The total throughput in kilobytes per second. 
appl: Throughput (Kbytes/s) 


The number of bytes transferred. 
appl: Bytes transferred 


The length of the data packet. 
appl: Packet data length 


Protocol-Dependent Statistics Broken Out by Side 


AX UsefulData al 
AY AppReqs 
AZ FileXfers 
. 
BB FileBytes 
BC DataLength C2 

BD Frmsi C4 

BE Frms2 


The number of frames sent by each side. 


tcp: Frames transmitted 
udp: Frames transmitted 
spp: Frames transmitted 
dec: Frames transmitted 
nbp: Frames transmitted 
x25: Frames transmitted 
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Column cat 
Column D Type Description 
ata 
Code 
BF Bytes1 C4 The number of data bytes sent by each side. 
BG Bytes2 tcp: Data bytes transmitted 
udp: Data bytes transmitted 
spp: Data bytes transmitted 
dec: Data bytes transmitted 
nbp: Data bytes transmitted 
x25: Data bytes transmitted 
atp: Data bytes 
adsp: Data bytes 
BH ExpBytes1 The number of expedited data bytes. 
BI ExpBytes2 iso: Expedited data bytes 
BJ The number of requests sent. 
BK atp: Requests 
BL The number of responses sent. 
BM atp: | Responses 
BN Retrans1 C2 The number of retransmissions sent. 
BO Retrans2 tcp: | Retransmissions 
spp: Retransmissions 
dec: Retransmissions 
nbp: Retransmissions 
c4 atp: Req retransmits A 
c4 adsp: Retransmits 
BP RetransTime1 DM The average time between retransmissions 
BQ RetransTime2 in milliseconds. On the screen, this follows 
the previous column value after an @ sign. 
tcp: Retransmissions @ msec 
spp: Retransmissions @ msec 
dec: Retransmissions @ msec 
nbp: Retransmissions @ msec 
atp: Req retransmits A @ msec 
adsp Retransmissions @ msec 
BR RetransB1 C4 The number of type B request retransmits 
BS RetransB2 that were sent. 
atp: Req retransmits B 
BT RespRetrans1 C4 The number of response retransmits. 
BU RespRetrans2 atp: Resp retransmits 
BV AvgAck1 The average acknowledgment time, in 
BW AvgAck2 milliseconds. 


tcp: Average ack time 
spp: Average ack time 
dec: Average ack time 
nbp: Average ack time 
atp: Avg time to 1st response 
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Column 
BX 
BY 


BZ 
CA 


CB 
CC 


CD 
CE 


CF 
CG 


CH 
Cl 


CJ 
CK 


CL 
CM 


CN 
co 


CP 
CQ 


CR 
CS 


CT 
CU 


CV 
CW 


Column 
Data 


1stResps1 
istResps2 


1stRespTimet 


1stRespTime2 


MinistResp1 


MinistResp2 


Max1istResp1 
MaxistResp2 


FlowOffi 
FlowOff2 


FlowOffTime1 
FlowOffTime2 


WinSizeMin1 
WinSizeMin2 


WinSizeMax1 
WinSizeMax2 


KeepAlives1 
KeepAlives2 


KeepAliveTimet 


KeepAliveTime2 


Revisits1 
Revisits2 


Interrupts1 
Interrupts2 


Data 
Type 
Code 


C4 


0 
<= 


1S) QO 


is) 


M 


i) 
NO 


io) 
i) 


@] 
NO 


Cc 


i) 


[= 
Lz 


io) 
is) 


NegAcks1 
NegAcks2 


C2 


Description 


The number of first responses. 
atp: First Responses 


The average first response time. 
atp: First responses @ msec 


The minimum first response time. 
atp: Min/Max 1st response 


The maximum first response time. 
atp: Min/Max 1st response 


The number of times flow control was shut 
down. 


tcp: Zero windows 
dec: Flowcontrol off 


The average amount of time flow control was 
shut down in milliseconds. On the screen, 
this follows the previous value after an @ 
sign. 

tcp: Zero windows 

dec: Flow control off 


The minimum window size range. 
tcp: | Window size range (<min> - <max>) 


The maximum window size range. 
tcp: | Window size range (<min> - <max>) 
atp: Max request bitmap 


The number of keepalive messages. 
tcp: Keep Alives 
dec: Keep Alives 


The average time between keepalive 
messages. On the screen, this follows the 
previous value after an @ sign. 

tcp: Keep Alives @ msec 

dec: Keep Alives @ msec 


The number of Revisit messages. 
dec: Revisits 


The number of Interrupt messages. 


dec: Interrupt messages 
x25: Interrupt packets 


The number of negative acknowledgments. 
dec: Negative acks 


Network General Corporation 


Connections/Applications (Row Type 504) 


DD 


DE 


DF 


DG 


DH 


DI 


DJ 


Column 


MissingFrags1 
MissingFrags2 


InterFrmTime1 
InterFrmTime2 


Description 


The number of Attention messages. 
adsp: Attention msgs 


The number of missing fragments. 
udp: Fragments missing 


The interframe time. 
appl: Inter-frame time 


Symptoms 


FastRetrans 


NFSRetrans 
CmdRetrans 
RplRetrans 


FlowOffs C2 


The number of retransmits. 

tcp: Transport retransmissions 
pep: Transport retransmissions 
dec: Transport retransmissions 
nbp: Retransmissions 

atp: Retransmissions 

adsp: Retransmissions 


The number of fast retransmits. 


tcp: Fast retransmits 
pep: Fast retransmits 
dec: Fast retransmits 
nbp: Fast retransmits 
atp: Fast retransmits 
adsp: Fast retransmits 


The number of NFS retransmits. 
tcp: NFS retransmission 


The number of command retransmits 
lat: Command retransmissions 


The number of reply retransmits 
lat: Reply retransmissions 


The number of flow control offs. 


tcp: Zero windows 

pep: Flow ctrl off too long 
dec: Flow ctrl off 

nbp: — Flow ctrl off 

netb: Flow ctrl off too long 


DataFlowOffs G2 
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The number of Data flow offs. 
tcp: Window sizes exceeded 
pep: Window sizes exceeded 
dec: Data while flow ctrl off 
nbp: Data while flow ctrl off 
netb: Data while flow ctrl off 
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Description 


The number of frozen windows. 
tcp: Windows frozen 


The number of long idles. 


tcp: Idle too long 
dec: Idle too long 
x25: Idle more than 


The number of Ack number decreasing 


tcp: | Ack number decreasing 
pep: Ack number decreasing 
dec: Ack numbers decreasing 
nbp: Ack numbers decreasing 


The number of slow acknowledgments. 


tcp: Long ack times 
pep: Long ack times 
dec: Long ack times 
nbp: Long ack times 


The number of missing acknowledgments. 
pep: Replies missing 
netb: Acknowledge missing 


The number of acknowledgments to a wrong 


netb: Acks to wrong frame 


The number of wrong reply sequences. 
pep: Wrong reply sequences 


The number of missing synchronization 


netb: Sync frames missing 


The number of frames too close. 
lat: Frames too close 


The number of bouncing frames. 
tcp: Bouncing frames 


The number of local routers. 
nbp: Local routers 


The number of multiple source routings. 


pep: Multiple source routings 
netb: Multiple source routings 


Data 
Column 
Column Data Type 
Code 
d: 
DL Longldles 
DM AckNumDecr G2 
symptoms. 
DN SlowAcks 
DO MissingAcks 
DP WrongAcks C2 
frame. 
DQ WrongRpls 
DR MissingSyncs C2 
frames. 
DS CloseFrms G2 
DT BouncingFrms 
DU LocalRtrs 
DV MultiSrcRtg C2 
DW WaitPrinter C2 


The number of long wait for printer 
symptoms. 
atp: Long Wait for printer 
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Column 


DX 


DY 


DZ 


EA 


EB 


EC 


ED 


EE 


Column 
Data 


PaperJjam 


PaperOut 


PrinterDown 


RWOverlaps 


FileRetrans 


LowThruput 


ReqLoops 


DeniedReqs 


Data 
Type 
Code 


io) 


i) 
NO 


© Q 
i) i) is) 


C2 


Cc 


i) 


Cc 


C 


i) 


BE 


Description 


The number of paper jams. 
atp: Paper jam 


The number of out of paper symptoms. 
atp: Out of paper 


The number of printer not responding 
symptoms. 
atp: Printer not responding 


The number of read/write overlaps. 
appl: Read/write overlaps 


The number of file retransmissions. 
appl: File retransmissions 


The number of low throughput symptoms. 
appl: Low throughput 


The number of loops on the same request. 
appl: Loops on same request 


The number of requests denied. 
appl: Requests denied 
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Global Symptoms (Row Types 505 - 507) 


Global Symptoms are objects that contain a number of data fields giving further detail 
about a symptom. 


Global Symptoms are symptoms that affect the segment as a whole (for example, a LAN 
overload) and are therefore, not logically listed under an object of any other type. There 
can be up to 50 Global Symptom objects at a time, and, unlike the other object types, 
they are always recycled. 


The Global Symptoms section consists of the following subsections: 
e Spanning Tree Topology Changes (row type 505) 
e ZIP Storms (row type 506) 
e Bursts (row type 507) 


The Global Symptoms section begins with the following label row: 


0,"Global Symptoms", 


Spanning Tree Topology Changes (Row Type 505) 
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The Spanning Tree Topology Changes subsection contains row type 505, which 
provides information about any topology change symptoms observed by the Expert 
analyzer on your network. Information is given about the local segment, the topology 
before the change, and the topology after the change. 


The following is an example of the Spanning Tree Topology Changes subsection in the 
output file. 


0,"Spanning Tree Topology Changes" ,<CR> 

1505,Active, StartTime, Duration, Frms,LInitObj,LInitAddr,RPriorityl, 
RPriority2,RId1,RId2,RHellol1,RHello2,RDelayl,RDelay2,LPriorityl, 
LPriority2,LObj1,LObj2,LAddri1,LAddr2,LId1,LId2,LCost1,LCost2,<CR> 
505,0,6/22/93 09:44:05,778,9,2,="080002A0745B" ,32768,32766, 
="080002AD81F1",="080002030160",2,2,15,15,32768,32768,1,1, 
="080002AD81F1", 080002AD81F1,080002AD81F1, 080002AD81F1,0,100,<CR> 


The following table describes the column data for row type 505. 
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Column pate 
Column Type Description 
Data 
Code 

A rowtype RT Row type 505 provides information about 
Spanning Tree topology changes. 

B Active BO 1 indicates that the change was still occurring 
when the capture was stopped (in this case, 
many of the following column values will be 
undefined). O indicates that the change was 
not still occurring when the capture was 
stopped. 

Cc StartTime DT The time the first packet was sent indicating 
that the topology had changed or was being 
challenged. 

D pea The duration of the change in milliseconds. 

E Frms The number of spanning tree packets sent by 
all local bridges during the change. 

F LInitObj The object ID of the DLC station that was the 
“local initiator” of the change, that is, the 
bridge that sent the packet that first alerted 
the Expert analyzer to the fact that something 
had changed. 

G LInitAddr SN The address of the bridge that sent the 
packet alerting the Expert analyzer. No 
learned name column is given because 
bridges do not typically have learnable 
names. 

H RPriority1 c2 The priority of the root bridge before and after 

| RPriority2 the topology change. 

J SN The ID of the root bridge before and after the 

K topology change. 

L RHello1 c2 The root's hello time before and after the 

M RHello2 topology change. 

N RDelay1 C2 The root's forward delay time before and after 

O RDelay2 the topology change. 

P LPriority1 C2 The priority of the local designated bridge 

Q LPriority2 before and after the topology change. 

R LObj1 The object ID of the local designated bridge 

S LObj2 before and after the topology change. 

T LAddr1 SN The address of the local designated bridge 

U LAddr2 before and after the topology change. 
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Column Description 
V Lid4 SN The ID of the local designated bridge before 
W LIld2 and after the topology change. 
X LCost1 C4 The local designated bridge's root path cost 
Y LCost2 before and after the topology change. 

ZIP Storms (Row Type 506) 


The ZIP Storms subsection contains row type 506, which provides information about 
any ZIP Storm objects observed by the Expert analyzer on your network. A ZIP Storm 
object is created when the number of ZIP Query packets sent (from all stations) in one 
minute exceeds the ZIP Storm threshold (the value in the ZIPStorm column of the 
DLC Thresholds row). 


The following is an example of the ZIP Storms subsection in the output file. 


0,"AppleTalk ZIP Storms", <CR> 

1506,Active, StartTime, Duration, Queries,Samples,Timel,0Obj1,Addr1, 
Network1,Time2,Obj2,Addr2,Network2,Time3 ,O0bj3,Addr3,Network3, 
Time4 ,Obj4,Addr4,Network4,Time5,0bj5,Addr5,Network5, Time6,Obj6, 
Addr6,Network6, Time7,0bj7,Addr7,Network7,Time8,Obj8,Addr8, 
Network8 , <CR> 

506,1,5/20/93 09:53:31,364214,79,8,5/20/93 09:52:54,13, 
="10549.47",10060,5/20/93 09:53:03,13,="10549.47",10823, 
5/20/93 09:53.04,13,="10549.47",10060,5/20/93 09:53212, 
13:,="10549:.47" ,20823,.5/20/93 09:53:13.,13:,="10549'.47" , 10060, 
5/20/93 09:53:22, 13,="10549.47" ,10823',5/20/93 09:2153723, 
13,,="10549.47",10060,5/20/93 09:53:31,13,="10549.47",10823,<CR> 


The following table describes the column data for row type 506. 


Data 
Column Type 
Data Code 


rowtype 


(aaa 
- i: 
hall ll 
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Column Description 


Row type 506 provides information about ZIP 
storms. 


1 indicates that the ZIP storm was still 
occurring when the capture was stopped (in 
this case, many of the following column 
values will be undefined). O indicates that the 
ZIP storm was not still occurring when the 
capture was stopped. 


The time the first packet was sent indicating 
that the ZIP Query packet exceeded the ZIP 
storm DLC threshold. 


Global Symptoms (Row Types 505 - 507) 
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Column 


7) 


aig 


Column 
Data 


Data 


Type 
Code 


Description 


eee The duration of the ZIP storm in milliseconds. 


ood 


The number of ZIP Query packets sent by all 
stations during the storm. 


The number of sample ZIP Query packets 
given below. 

Information about a series of up to eight 
sample ZIP Query packets is given. If the 
storm is active (Active=1 above), these will be 
the eight ZIP Query packets leading up to the 
storm (including the first packet of the storm) 
or fewer if there were fewer than eight Queries 
before the storm). If the storm is not active, 
these will be the last 8 ZIP Query packets of 
the storm (fewer if there were fewer than 8 
Queries in the storm). 


Object1 
Addr 
Network 


Obj2 
Addr2 


Network2 


iene 
Timei 


The time that the first sample ZIP Query 
packet was sent. 


The object ID of the network station that sent 
the packet. 


The address of the network station that sent 
the packet. 


The first network number requested in the ZIP 
Query. 


The time that the second sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 2.) 


The object ID of the network station that sent 
the packet. 


The address of the network station that sent 
the packet. 


The first network number requested in the ZIP 
Query. 


Time3 


i} 
= 


n 
Zz 


The time that the third sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 3.) 


The object ID of the network station that sent 
the packet. 


The address of the network station that sent 
the packet. 
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AB 


AC 


AD 


AE 


AF 


AG 


Column 
Data 


Network3 


Time4 


Data 
Type 
Code 


Cc 


a 


Description 


The first network number requested in the ZIP 
Query. 


The time that the fourth sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 4.) 


Obj4 


The object ID of the network station that sent 


The address of the network station that sent 


Network4. 


Timed 


Obj5 


Addr5 


Network5 


Time6 


Obj6 


DT 
OB 

the packet. 
SN 

the packet. 
C2 


iw} 
4 


4 Zz 


C2 


is) 


{e) 
ies) 


The first network number requested in the ZIP 
Query. 


The time that the fifth sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 5.) 


The object ID of the network station that sent 
the packet. 


The address of the network station that sent 
the packet. 


The first network number requested in the ZIP 
Query. 


The time that the sixth sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 6.) 


The object ID of the network station that sent 
the packet. 


Addr6 


Network6 


Time7 


Obj7 


Addr7 


n 
Zz 


C2 


4 


n 
Zz 


The address of the network station that sent 
the packet. 


The first network number requested in the ZIP 
Query. 


The time that the seventh sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 7.) 


The object ID of the network station that sent 
the packet. 


The address of the network station that sent 
the packet. 
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Column Description 


Code 


Network7 


ae 


DT 
Objs OB 


The first network number requested in the ZIP 
Query. 


The time that the eighth sample ZIP Query 
packet was sent. (This column value is 
undefined if the value of the Samples column 
above is less than 8.) 


The object ID of the network station that sent 
the packet. 


AK Addr8 SN The address of the network station that sent 
the packet. 
AL Network8 The first network number requested in the ZIP 


Query. 


Ea 


Bursts (Row Type 507) 
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The Bursts subsection contains row type 507, which provides information about any 
overloads, underloads, broadcast storms, and multicast storms observed by the Expert 
analyzer during a capture session. 


The following is an example of the Bursts subsection in the output file. 


0, "Bursts" ,<CR> 

1507,Type, Active, StartTime, Duration, Description, MaxLoad, AvgLoad, 
MaxDTELoad,MaxDCELoad,MinDTELoad,MinDCELoad, AvgDTELoad, 
AvgDCELoad, LocalFrms,RemFrms, Broads, Symps, Protocol,Initiator, 
FrmlTime,<CR> 

507,0,0,12/12/93 15:54:02,1310, "LAN overload",38,25,,,,,,,236,201, 
1,11,,,06/17/93 12:54:39,<CR> 


The following table describes the column data for row type 507. 
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Description 


Row type 507 provides information about 
overloads /underloads/broadcast storms. 


The numeric code giving the global symptom 


0 LAN or WAN overload 
1 Broadcast or multicast storm 
2 WAN underload 


1 indicates that the symptom was still active 
when the capture was stopped (in this case, 
some of the following column values will be 
undefined). O indicates that the symptom was 
not active when the capture was stopped. 


The symptom's start time. 
The duration of the symptom in milliseconds. 


The string reiterating the information in the 
Type column above, for example, "LAN 
overload,” and so on. 


The maximum overall network utilization 
observed over a one-second period during 
this symptom. 


The average overall network utilization 
observed over a one-second period during 
this symptom. 


The maximum DTE utilization observed over a 
one-second period during this symptom. This 
column value is undefined if you are not using 
a Sniffer Internetwork Analyzer. 


The maximum DCE utilization observed over a 
one-second period during this symptom. This 
column value is undefined if you are not using 
a Sniffer Internetwork Analyzer. 


The minimum DTE utilization observed over a 
one-second period during this symptom. This 
column value is undefined if you are not using 
a Sniffer Internetwork Analyzer. 


Data 
Column 
Column Data Type 
Code 
RT 
C2 
type: 
BO 
StartTime or | 
[ouain [OM 
neal ik 
rs 
AvgLoad bal 
MaxDTELoad 
MaxDCELoad 
MinDTELoad PO 
MinDCELoad PO 


The minimum DCE utilization observed over a 
one-second period during this symptom. This 
column value is undefined if you are not using 
a Sniffer Internetwork Analyzer. 
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Column 


Column 
Data 


AvgDTELoad 


AvgDCELoad 


LocalFrms 


RemFrms 


Data 
Type 
Code 


ie) 
BS 


oO 
B 


@: 
(o>) 4 


'e) 
AS 


Ss 


n 
Zz 


DT 


Description 


The average DTE utilization observed over a 
one-second period during this symptom. This 
column value is undefined if you are not using 
a Sniffer Internetwork Analyzer. 


The average DCE utilization observed over a 
one-second period during this symptom. This 
column value is undefined if you are not using 
a Sniffer Internetwork Analyzer. 


The number of frames of all types that were 
sent by local stations during this symptom. 


The number of frames observed that were 
sent by remote stations during this symptom. 


The number of broadcasts or multicasts sent 
during this symptom. 


The number of symptoms at all layers that 
occurred during this symptom (not including 
itself). 


The name of the protocol involved in the 
broadcast storm. This column value is 
undefined if there is no broadcast storm. 


The learned name, if any, or address of the 
DLC station presumed to be responsible for 
the broadcast storm. This column value is 
undefined if there is no broadcast storm. 


The time that the Initiator above sent the first 
frame presumed to be responsible for the 
broadcast storm. This column value is 
undefined if there is no broadcast storm. 
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DLC Station Diagnoses (Row Type 600) 


The DLC Station Diagnoses section contains row type 600, which provides 
information about any diagnoses made at the DLC layer. The following information is 
given for each diagnosis: 


e The start time 

e The duration 

¢ A description of the problem 

e A pointer to the affected DLC Station object 


This section also provides information about the diagnoses resulting from symptoms 
that affect Global Symptom objects. 


= Not all symptom types can result in Expert analyzer diagnoses, despite the number of 
times the symptom occurs. One advantage of the output file is that you can search the 
DLC Station, Network Station, and Connection objects for potentially serious 
occurrences of symptoms that do not appear in the Expert analyzer. 


The following is an example of the DLC Station Diagnoses section in the output file. 


0,"DLC Diagnoses" ,<CR> 

1600,Type, Active, StartTime, Duration, Description, Obj, Protocol,Addr, 
Name, <CR> 

600,13,1,10/26/93 20:04:35,8072, "LAN overload",,,,,<CR> 


The following table describes the column data for row type 600. 


Data 
Type 
Code 


Column 


Column ates 


Description 


Row type 600 provides information about DLC 
Station diagnoses. 
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Column Data 
Column Data Type 
Code 

B Type C2 


Description 


The numeric code identifying the diagnosis 
type: 

13 LAN overload 

14 WAN underload 

15 Broadcast storm 


Token ring only: 

16 High rate of ring entries 

17 ‘High rate of ring purges 

18 High rate of congestion 

19 High rate of remove from ring requests 
20 ~=Ring beaconing 

21 ~High rate of line/burst errors 


Sniffer Internetwork Analyzer only: 

22 Excessive retransmissions 

23  Overcongested WAN station 

24 Congestion on %s during WAN 
underload 

25 High rate of physical errors 


1 indicates that the diagnosis was still 
"open,” or active, when the capture was 
stopped. 

O indicates that the diagnosis was not still 
"open,” or active, when the capture was 
stopped. 


The start time of the diagnosis. 
The duration of the diagnosis in milliseconds. 


The string that describes the information in 
the Type column above. 


The object ID of the DLC station involved, if 
any, so it can be found in the list of DLC 
Station objects above. Because diagnoses 
arising from Global Symptoms are also 
grouped here, there is not always a particular 
DLC Station object involved. If this is the 
case, column values following this column will 
be undefined. 


The protocol of the DLC station involved. 


| Yo 
D StartTime 
G Obj OB 
H Protocol SC 
| Addr SN 
J Name SN 


The DLC station's address. 


The learned name, if any, for the DLC station. 
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Network Station Diagnoses (Row Type 601) 
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The Network Station Diagnoses section contains row type 601, which provides 
information about any diagnoses made at the Network Station layer. The following 
information is given for each diagnosis: 


e The start time 
e The duration 
e A description of the problem 


e A pointer to the affected Network Station object 


The following is an example of the Network Station Diagnoses section in the output 


file. 


0,"Network Station Diagnoses" ,<CR> 

1601,Type, Active, StartTime, Duration, Description, Obj, Protocol, Addr, 
Name, <CR> 

601,9,1,10/26/93 20:04:43,289,"Multiple routers to station 
antigua" ,72,,"IP",=" [L61.69.108.20]",="antiqua" ,<CR> 


The following table describes the column data for row type 601. 


Column 


Data Description 


Row type 601 provides information about 
Network Station diagnoses. 


rowtype 


The numeric code identifying the diagnosis 
type: 

ff Duplicate net address 

8 Local router 

9 Multiple routers to station 

10 All paths lost to subnet 

11 Corrupt routing table 

Apple subnet range conflict 


Type 


1 indicates that the diagnosis was still 
“open,” or active when the capture was 
stopped. 

0 indicates that the diagnosis was not open 
or active when the capture was stopped. 


StartTime The start time of the diagnosis. 


Duration The duration of the diagnosis in milliseconds. 


Description The string that describes the information in 
the Type column above. 


G Obj The object ID of the station involved so it can 
be found in the list of Network Station objects 
above. 
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Column 


Data Description 


Protocol The protocol of the station involved. 


Addr The address of the station involved. 


The learned name, if any, for the station. 
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Connection Diagnoses (Row Type 602) 


72 


The Connection Diagnoses section contains row type 602, which provides information 
about any diagnoses made at the Connection layer. The following information is given 
for each diagnosis: 


e The start time 
e The duration 
e A description of the problem 


e A pointer to the affected Connection object 
The following is an example of the Connection Diagnoses section in the output file. 


0,"Connection Diagnoses" ,<CR> 

1602,Type, Active, StartTime, Duration, Description, Obj,DLCCnx,Obj1, 
Obj2,ApplID1,ApplID2,Addr1,Addr2,Namel1,Name2 ,<CR> 

602,6,1,12/12/93 15:50:36,3838547, "Retransmissions: [161.69.100.48] & 
[161.693.1791 ",97,0,95, 96, "Port: 1358", "Port; 

3200" ,="[16L.69.1700.48]" ;=" [161.'69'3;;119)", 4 .<CR> 


The following table describes the column data for row type 602. 


Type Description 


A rowtype RT Row type 602 provides information about 
Connection diagnoses. 

B The numeric code identifying the diagnosis 
type: 


5 Non-responsive station 
6 Retransmissions 


C Active BO 1 indicates that the diagnosis was still 

“open,” or active, when the capture was 

stopped. 

O indicates that the diagnosis was not still 

“open,” or active, when the capture was 
stopped. 


D StartTime The start time of the diagnosis. 
E Pe [or The duration of the diagnosis in milliseconds. 


F The string that describes the information in 
the Type column above. 

G The object ID of the connection involved, so it 
can be found in the list of 
Connection/Application objects above. 

H DLCCnx BO See the columns of the same name under the 


"Connections/Applications" row. 
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Connection Diagnoses (Row Type 602) 


Description 


See the columns of the same name under the 
"Connections/Applications" row. 


K AppllD1 See the columns of the same name under the 
L ApplID2 "Connections/Applications" row. 
M Addri See the columns of the same name under the 
N Addr2 "Connections/Applications" row. 
O Name1 See the columns of the same name under the 
P Name2 "Connections/Applications" row. 
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Application Diagnoses (Row Type 603) 


The Application Diagnoses section contains row type 603, which provides information 
about any diagnoses made at the Application layer. The following information is given 
for each diagnosis: 


© The start time 
e The duration 
e A description of the problem 


e A pointer to the affected Application object 
The following is an example of the Application Diagnoses section in the output file. 


0,"Application Diagnoses" ,<CR> 

1603, Type, Active, StartTime, Duration, Description,NetObj,Obj,DLCCnx, 
Obj1,0bj2,App1ID1,ApplID2,Addr1,Addr2,Namel,Name2 ,<CR> 
603,8,1,09/28/93 18:12:13,27659, "Local router: [161.69.100.48] & 
[£.61.069'.3:.119]™, ,45:0;,,44,-42;, "Port: 3200", "Bort: 

1299" ,="[161.69.3.119)",="[161.69.100.48]",,«,<€R> 


The following table describes the column data for row type 603. 


Data 
Type 
Code 


Type C2 


Column 
Data 


Column Description 


Row type 603 provides information about 
Application diagnoses. 


The numeric code identifying the diagnosis 
type: 

0) File overlap/retransmission 

L. Slow file transfer 

2 Slow server 

3 Excessive repeated requests 
Excessive requests denied 


1 indicates that the diagnosis was still 
“open,” or active when the capture was 
stopped. 

O indicates that the diagnosis was not “open” 
or active when the capture was stopped. 


Active 


StartTime The start time of the diagnosis. 


Duration The duration of the diagnosis in milliseconds. 


The string that describes the information in 
the Type column above. 


Description 
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Column 


OU) o2z|=ar 


Namet 
Name2 


Data 
Type 
Code 


Description 


1 indicates that the subject of this diagnosis 
is a network station. This only applies for the 
"slow server" application diagnosis (the 
column value of Type above is 2). If this is the 
case, certain column values in the rest of the 
row will be undefined. 

0 indicates that the subject of this diagnosis 
is not a network object. 


The object ID of the connection (or Network 
Station) involved, so it can be found in the list 
of Connection/Application (or Network 
Station) objects above. 


See the columns of the same name under the 
"Connections/Applications" row. 


BO 
N 
N 
N 


See the columns of the same name under the 
"Connections/Applications" row. 


See the columns of the same name under the 
"Connections /Applications" row. 


See the columns of the same name under the 
"Connections/Applications" row. 


See the columns of the same name under the 
"Connections/Applications" row. 
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Connection/Application Protocols 


The Connections/Applications section (row type 504) in the Expert analyzer output 
file contains information that is protocol dependent. The following tables indicate the 
protocols that are valid for the specified column. See “Connections/Applications (Row 
Type 504)” on page 50 for the column definitions. 


The following abbreviations are used to specify the protocols: 


tcp IP TCP 

udp IP UDP 

pep NetWare PEP 
spp NetWare SPP 
x25 X.25 

netb NetBIOS 

nbp NBP 

dec DEC 

lat DEC LAT 

atp AppleTalk ATP 
adsp AppleTalk ADSP 


When an Application object has been created for the connection, that information 
may also be available in the Connections/Applications section of the output file. The 
abbreviation “appl” is used to specify the Application layer. 


Because a column is noted as being defined for a protocol or Application object, it does 
not mean that it will be defined in all situations (for example, the value for the Thruput 
column in the Connections/Applications row is defined only if an Application object 
exists, but even if one does, the column value will still be undefined if no data transfer 
has yet taken place). 


Connection Statistics Not Broken Out by Side: Availability by Protocol 


Column Data 


UsefulData 


AppReqs 
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Column Column Data 


FileXfers 


Thruput 


FileBytes 


Data Length 


Connection Statistics Broken Out by Side: Availability by Protocol 


Column Data ieee ee ea nbp x25 | at | adsp Iso appl 


Column 

BD/BE Frms 

BF/BG Bytes 

BH/BI ExpBytes 
BJ/BK Reqs 

BL/BM Resps 

BN/BO 

BP/BQ RetransTime “4 
BR/BS Retrans B 
BT/BU RespRetrans 
BV/BW_ | AvgAck 

BX/BY 1stResps 
BZ/CA 1stRespTime’4 
CB/CC MinistResp’4 
CD/CE 


CF/CG 
CH/Cl 


| MaxistResp44 
FlowOff 
FlowOffTime” 4 


WinSizeMin 


WinSizeMax4 


* * 
* * * * 


CN/CO KeepAlives 
CP/CQ KeepAliveTime’ 4 
CR/CS Revisits * 


78 


Interrupts 


Network General Corporation 


Connection/Application Protocols 


Column Data 


NegAcks el 


MissingFrags 


Column 


InterFrmTime 


AA = this statistic is linked to the previous column value; either both columns have values or 
neither do. (Exception: WinSizeMax for atp.) 


Connection Symptoms: Availability by Protocol 


Column Column Data tcp | udp | pep dec | tat | nbp | netb | x25 | atp | adsp | appl 
oF | were i eas 
oe onarevos | | | |-|1>- 11 | |_— 
om [vores | |_| |_| [>|_| | [ | _ 
ST i GP 
oo _[osarmors [et | {-t*{ [*{-1 | |_| 
x [rows >| | | |. {| | | — 
owns t| | | 1°] | = 
on [aaowmoee [= ff [*{=|_ 

ov [somes =| | [ete t [> 

[wena {1 [-[-| | 1 1] 

DP WrongAcks iat walt) 

DQ WrongRepls | ‘i a a 

DR MissingSyncs Lm = as 
DT BouncingFrms # = 

DU LocalRtrs ig 

DV | MultiSrcRtg ms m 

DW | WaitPrinter — a Re ie 
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Column Column Data 


[ravenom [| 
PaperOut fet 
rineroom [| 


RWOverlaps 


FileRetrans 


LowThruput 


ReqLoops 
DeniedReqs 
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